A

Hello and welcome to the Thursday, February 27, 2025 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. Well, today we have a guest diary by one of our undergraduate interns, Robin Sarrier. Robin is writing about the use of ephemeral ports in order to download malware. This is something that happens quite common where the web server that the attacker is connect to in order to download additional malware is not listening on port 80, 443, not even port 8,000, but instead on a very high port like 60,000 something or such. This is certainly something to look for where you're looking for anomalies, looking for HTTP traffic or HTTPs or TLS traffic for that matter. On these high ports you have to be a little bit careful. I particularly lately more and more seen it with web servers and such where they sometimes listen on these high odd ports in cloud environments. Also, I think in part also because of the overloading of IP addresses, people sometimes use these sort of random high ports that are even sometimes negotiated dynamically. So where you first have some kind of handshake that then defines what high port is being used. This used to be more common, like for a voiceover IP and for online gam, but I've sadly seen this more and more with sort of more mainstream applications as well, which of course makes a detection of this kind of attack activity more tricky. Still something to look for. And if you can definitely block outbound connections on these high boards, again, just be careful that you're not disrupting any important traffic. Well, and then we have actually two stories that are related to attacks against developers. One of my favorite topics, I definitely have to cover it here. The first one is a malicious theme for Visual Studio code. What makes this theme particular problematic is that it appears at least 4 million users have downloaded it. And the respective author of this theme and a couple others is one of the most prolific authors on the Visual Code store. Now this comes from Amit Azaraf. Amit did not disclose yet what exact the indicators are that made them believe that this particular theme is malicious. The theme was called the Material theme. And one little problem here is that when you're applying a theme like this, you're thinking you're changing the look and feel of the software, in this case visual code somewhat. But even a theme that pretty much just changes colors and such often has the ability to also execute code and with that of course also execute malicious code. It'll be interesting to See once Amit is coming up with more details here. At this point Amit is asking anybody who has this theme installed to contact them for more indicators of compromise. Now there are a couple listed here. Essentially the name of the theme files that you would have downloaded. The supposedly malicious theme is no longer available in the Visual Studio Studio code store. And the second developer story we have comes from the Bybit. I hope I pronounce this correctly. Breach. Probably have heard of this where Bybit lost something like 1.3 $1.4 billion in Ethereum to a likely North Korean threat actor. Well, the problem here apparently appears to be a compromised workstation of SafeWallet developers. SafeWallet is a company that provides web applications to basically facilitate the signing of these ethereum contracts. And JavaScript was replaced in their application that specifically targeted Bybit. So the next time Bybit went to the site, signed a digital contract, this malware intercepted this and then altered the contract. I just went to the Safe Wallet site just because I wasn't really familiar with the site. I'm not a big into cryptocurrencies and noted they now have a pop up before you go to the site that specifically asks you to verify the contract before you sign it. So I guess that's how they are trying to counter this a little bit. I think just yesterday I talked about how important it is to keep your development and production infrastructures separate. So a compromise. Often individual developers machine cannot compromise your entire architecture infrastructure. We've had this happen a couple times in the past where compromised developer machines sort of basically took down the entire organization. So please try to avoid this. Have some kind of privileged access workstation or whatever you want to call it that are specifically designed to just be used to for example manage things like updates, cryptographic keys and such on production environments. And then two other vulnerabilities I think you should be aware of. First of all, two vulnerabilities in RSync that could allow someone to take over a server running rsync. Definitely something to be aware of. Usually it's not really exposed like this to the network. And then secondly vulnerability in the OpenH264 codec. If you're watching the video here, you're probably using the H264 codec. It's one of the big codecs being used to encode video. So definitely that is probably affecting a bunch of different software and yes, could lead to remote code execution. Well, and that's it for today. So thanks for listening and thanks to everybody who is recommending this podcast. Just saw a nice post today on LinkedIn, I think. So thanks a lot for that. And of course always good to click the like or five Star or whatever your particular podcast app offers or leave a nice little review. Thanks and talk to you again tomorrow. Bye.