SANS Stormcast – February 27, 2025

Host: Johannes B. Ullrich
Episode Focus: High exfiltration ports in malware, malicious Visual Studio Code theme, developer workstation safety, major cryptocurrency breach, and vulnerabilities in NAKIVO, OpenH264, and rsync.

Episode Overview

In this episode, Johannes B. Ullrich delivers a succinct briefing on current issues in cybersecurity, highlighting trends in port usage by attackers, serious threats aimed at software developers, and newly discovered software vulnerabilities. The episode combines insights from guest contributors and recent high-profile incidents, with practical advice for defenders.

Key Discussion Points & Insights

1. Malware Leveraging High Ephemeral Ports for Exfiltration

[00:18–02:15]

Guest Diary by Robin Sarrier: Focused on the increasing use of nonstandard, high-numbered (ephemeral) ports (e.g., 60,000+) for downloading and exfiltrating malware, making detection harder.
Johannes explains how:
- Attackers avoid traditional ports like 80, 443, or 8000.
- Cloud environments and IP overloading lead to more legitimate applications also using high/odd ports.
- Dynamic port negotiation, once more common in VoIP/gaming, now appears in mainstream applications, further complicating detection.
Advice:
- Watch for HTTP/TLS traffic on atypical ports.
- Block outbound connections on high ports—but "be careful that you're not disrupting any important traffic."
- Quote [01:55] – Johannes:
  
  "Still something to look for. And if you can, definitely block outbound connections on these high ports, again, just be careful that you're not disrupting any important traffic."

2. Attacks Targeting Developers

a) Malicious Visual Studio Code Theme

[02:15–03:34]

Overview:
- Malicious Material Theme, with over 4 million installs, found in the VS Code Extension marketplace.
- The author is highly prolific, making the risk expansive.
- Discovery credited to Amit Azaraf, who is presently collecting compromise indicators.
Mechanism:
- VS Code themes, despite appearing cosmetic, can execute code, opening a path to deeper compromise.
Action:
- Theme has been removed from the store.
- Users with the theme are urged to contact Amit Azaraf or check for listed filenames.
Quote [02:56] – Johannes:

"Even a theme that pretty much just changes colors and such often has the ability to also execute code, and with that, of course, also execute malicious code."

b) Developer Workstation Compromise and Bybit Crypto-Theft

[03:35–05:05]

Incident:
- The Bybit breach resulted in $1.3–$1.4 billion in Ethereum lost, likely to North Korean threat actors.
- The compromise originated from a SafeWallet developer's workstation.
- Malicious JavaScript injected into their web application, specifically targeting Bybit. It altered Ethereum contract signing in real time.
Aftermath:
- SafeWallet now prompts users to verify contracts before signing.
Key Security Lesson:
- Reiterates the importance of separating development and production infrastructure, isolating privileged access.
Quote [04:17] – Johannes:

"A compromise of an individual developer's machine can... compromise your entire architecture."

3. Critical Vulnerabilities in rsync and OpenH264

[05:05–05:45]

rsync Vulnerability:
- Two flaws could allow an attacker to take over a server with rsync exposed to the network.
- Most rsync instances are not internet-exposed, but still a risk to monitor.
OpenH264 Vulnerability:
- Widely used video codec affected by a flaw that could allow remote code execution.
- Likely impacts multiple software products.
Quote [05:36] – Johannes:

"If you're watching video here, you're probably using the H264 codec... could lead to remote code execution."

Memorable Moments & Quotes

Detection tip for defenders [01:12]:

"...these random high ports that are even sometimes negotiated dynamically... sadly seen this more and more with mainstream applications as well..." — Johannes
Theme extension risk awareness [02:56]:

"...Even a theme that pretty much just changes colors and such often has the ability to also execute code..."

Notable Timestamps

| Timestamp | Segment | |-----------|----------------------------------------------| | 00:18–02:15 | High port malware exfiltration | | 02:15–03:34 | Malicious VS Code theme and user warning | | 03:35–05:05 | Bybit cryptocurrency theft and developer risk| | 05:05–05:45 | rsync and OpenH264 vulnerabilities |

Podcast Tone

Johannes maintains a friendly, direct, and educational tone, frequently cautioning listeners with actionable advice and drawing clear connections between news events and practical security defense measures.

Takeaways & Action Items

Scrutinize and monitor for high-port traffic, but ensure legitimate traffic isn’t affected.
Treat all code—even themes and plugins—as potentially dangerous if sourced from large marketplaces.
Enforce strict separation between developer workstations and production infrastructure.
Quickly review patching strategy for rsync and OpenH264.

For further information or to share questions, listeners are encouraged to contact the podcast at https://isc.sans.edu/contact.html.

SANS Stormcast – February 27, 2025

Episode Overview

Key Discussion Points & Insights

1. Malware Leveraging High Ephemeral Ports for Exfiltration

[00:18–02:15]

Guest Diary by Robin Sarrier: Focused on the increasing use of nonstandard, high-numbered (ephemeral) ports (e.g., 60,000+) for downloading and exfiltrating malware, making detection harder.
Johannes explains how:
- Attackers avoid traditional ports like 80, 443, or 8000.
- Cloud environments and IP overloading lead to more legitimate applications also using high/odd ports.
- Dynamic port negotiation, once more common in VoIP/gaming, now appears in mainstream applications, further complicating detection.
Advice:
- Watch for HTTP/TLS traffic on atypical ports.
- Block outbound connections on high ports—but "be careful that you're not disrupting any important traffic."
- Quote [01:55] – Johannes:
  
  "Still something to look for. And if you can, definitely block outbound connections on these high ports, again, just be careful that you're not disrupting any important traffic."

2. Attacks Targeting Developers

a) Malicious Visual Studio Code Theme

[02:15–03:34]

Overview:
- Malicious Material Theme, with over 4 million installs, found in the VS Code Extension marketplace.
- The author is highly prolific, making the risk expansive.
- Discovery credited to Amit Azaraf, who is presently collecting compromise indicators.
Mechanism:
- VS Code themes, despite appearing cosmetic, can execute code, opening a path to deeper compromise.
Action:
- Theme has been removed from the store.
- Users with the theme are urged to contact Amit Azaraf or check for listed filenames.
Quote [02:56] – Johannes:

"Even a theme that pretty much just changes colors and such often has the ability to also execute code, and with that, of course, also execute malicious code."

b) Developer Workstation Compromise and Bybit Crypto-Theft

[03:35–05:05]

Incident:
- The Bybit breach resulted in $1.3–$1.4 billion in Ethereum lost, likely to North Korean threat actors.
- The compromise originated from a SafeWallet developer's workstation.
- Malicious JavaScript injected into their web application, specifically targeting Bybit. It altered Ethereum contract signing in real time.
Aftermath:
- SafeWallet now prompts users to verify contracts before signing.
Key Security Lesson:
- Reiterates the importance of separating development and production infrastructure, isolating privileged access.
Quote [04:17] – Johannes:

"A compromise of an individual developer's machine can... compromise your entire architecture."

3. Critical Vulnerabilities in rsync and OpenH264

[05:05–05:45]

rsync Vulnerability:
- Two flaws could allow an attacker to take over a server with rsync exposed to the network.
- Most rsync instances are not internet-exposed, but still a risk to monitor.
OpenH264 Vulnerability:
- Widely used video codec affected by a flaw that could allow remote code execution.
- Likely impacts multiple software products.
Quote [05:36] – Johannes:

"If you're watching video here, you're probably using the H264 codec... could lead to remote code execution."

Memorable Moments & Quotes

Detection tip for defenders [01:12]:

"...these random high ports that are even sometimes negotiated dynamically... sadly seen this more and more with mainstream applications as well..." — Johannes
Theme extension risk awareness [02:56]:

"...Even a theme that pretty much just changes colors and such often has the ability to also execute code..."

Notable Timestamps

Podcast Tone

Takeaways & Action Items

Scrutinize and monitor for high-port traffic, but ensure legitimate traffic isn’t affected.
Treat all code—even themes and plugins—as potentially dangerous if sourced from large marketplaces.
Enforce strict separation between developer workstations and production infrastructure.
Quickly review patching strategy for rsync and OpenH264.

For further information or to share questions, listeners are encouraged to contact the podcast at https://isc.sans.edu/contact.html.

wavePod

SANS Stormcast Thursday Feb 27th: High Exfil Ports; Malicious VS Code Theme; Developer Workstation Safety; NAKIVO PoC; OpenH264 and rsync vuln;

Powered by Wave AI

Summary

SANS Stormcast – February 27, 2025

Episode Overview

Key Discussion Points & Insights

1. Malware Leveraging High Ephemeral Ports for Exfiltration

2. Attacks Targeting Developers

a) Malicious Visual Studio Code Theme

b) Developer Workstation Compromise and Bybit Crypto-Theft

3. Critical Vulnerabilities in rsync and OpenH264

Memorable Moments & Quotes

Notable Timestamps

Podcast Tone

Takeaways & Action Items

Summary

SANS Stormcast – February 27, 2025

Episode Overview

Key Discussion Points & Insights

1. Malware Leveraging High Ephemeral Ports for Exfiltration

2. Attacks Targeting Developers

a) Malicious Visual Studio Code Theme

b) Developer Workstation Compromise and Bybit Crypto-Theft

3. Critical Vulnerabilities in rsync and OpenH264

Memorable Moments & Quotes

Notable Timestamps

Podcast Tone

Takeaways & Action Items