SANS Stormcast Thursday Mar 6th: DShield ELK Analysis; Jailbreaking AMD CPUs; VIM Vulnerability; Snail Mail Ransomware - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast Summary – March 6, 2025

Host: Johannes B. Ullrich
Main Topics: DShield Honeypot ELK Analysis; AMD CPU Jailbreak Vulnerability; VIM TAR Exploit; Snail Mail Ransomware Scam

Overview

Today’s episode covers recent advances and trending incidents in cybersecurity, including powerful data analysis options for DShield honeypots, a newly detailed severe AMD CPU vulnerability, a patch for a critical VIM editor exploit, and a surprising analog twist on ransomware with fake snail mail extortion attempts.

Key Discussion Points & Insights

1. DShield Honeypot & ELK Analysis Platform

Timestamp: 00:08–01:15

DShield Honeypot Upgrade: Guy from the SANS Internet Stormcenter has enhanced the DShield honeypot’s capabilities by integrating a Kibana (ELK) interface, allowing more intuitive visualization and exploration of captured attack data.
- “GUI has done an amazing job with our Deshield honeypot, allowing you to run a Kibana interface, all data being stored in elasticsearch and with that making the data that your honeypot collects much more approachable.” (Johannes B. Ullrich, 00:13)
Data Overload?: There’s a “lot of data,” so Guy penned a diary/blog post to help users more effectively sift through events and spot attack patterns.
Participation Encouraged: Running the DShield honeypot and sharing data benefits the broader security community, but note the ELK stack requires more processing power (“a little bit more powerful system than just sort of your basic Raspberry PI”).
Actionable Takeaway: Consider deploying or upgrading your honeypot, and reference the blog for data management tips.

2. Jailbreaking AMD CPUs – Exposure and Patch

Timestamp: 01:16–03:09

Critical Microcode Update Flaw: Google’s Bug Hunter team published exploit code and detailed analysis for a vulnerability (patched by AMD a month ago) that let attackers arbitrarily update the CPU’s microcode.
Hashing Weakness: The underlying issue was a cryptographically weak hash function in AMD’s update mechanism, making it possible to inject malicious updates despite supposed signature protection.
Potential Impact: The vulnerability could allow attackers to “jailbreak” the CPU—taking low-level control with unpredictable capabilities. The initial proof-of-concept demo forced the CPU’s random number generator to always return the same value, but new code enables substantially more.
- “With the additional code released today and such, well really up to the attacker's creativity what they would like your CPU to do.” (Johannes B. Ullrich, 02:37)
Patch Availability: Issue was addressed a month ago using a proprietary hash function; now it’s even more urgent to ensure all AMD CPUs are patched, as public exploit code is circulating.
Verification: New details provide more ways for defenders to check if CPUs are patched.

3. VIM Editor Vulnerability: TAR Feature Code Execution

Timestamp: 03:10–04:17

Functionality Gone Wrong: A recent feature in VIM allowed users to open and edit files within TAR archives. The vulnerability involved a failure to properly validate filenames, creating a code execution vector.
Real-World Danger: Although user interaction is required (i.e., convincing someone to open a malicious TAR archive in VIM), sysadmins might trust VIM’s safety over other programs, making them susceptible.
- “The sort of appearance of VIM being like simple and safe may make it actually easier to trick an administrator to open a file in VIM than it is to open a file like Invert or Acrobat Reader...” (Johannes B. Ullrich, 04:04)
Recommendation: Apply the latest VIM update to mitigate this risk.

4. Snail Mail Ransomware Scam

Timestamp: 04:18–05:18

Twist on Ransomware: GuidePoint Security discovered a campaign in which threat actors send real, physical letters (snail mail) to company executives. These letters claim to be from the BianLian ransomware group and threaten to leak stolen data unless ransom is paid.
Likely a Hoax: Most of these threats are baseless—there’s no evidence of data theft; this is a scare tactic targeting non-technical execs who might bypass security vetting.
- “At least as I said my take on it. No idea how successful this campaign is. And again, the letters are probably not related to the actual Pyongyang ransomware group. They're just some copycats that attempt sort of a new twist on this scare...” (Johannes B. Ullrich, 04:58)
Contextual Outcome: Similar fake extortion attempts (via email) have previously duped up to 30% of recipients into paying.
- “Sadly, these fake ransomware notes have been somewhat successful... thirty percent of the recipients... have actually paid up.” (Johannes B. Ullrich, 05:10)

Memorable Quotes & Moments

“You may need a little bit more powerful system than just sort of your basic Raspberry PI in order to run all of this.” (Johannes B. Ullrich, 00:50)
“The sort of appearance of VIM being like simple and safe may make it actually easier to trick an administrator to open a file in VIM than it is to open a file like Invert or Acrobat Reader...” (04:04)
“These letters, so the attacker did not steal any data from you, they just hope to actually still get money.” (04:37)

Summary Table: Important Segments

| Timestamp | Topic | Key Points | |-----------|------------------------------------------|-----------------------------------------------------------------| | 00:08 | DShield Honeypot with ELK | New data analysis interface, tips on data management | | 01:16 | AMD CPU Vulnerability | Microcode update exploit, urgent patching, public exploit code | | 03:10 | VIM TAR Exploit | Vulnerability allows code exec via crafted archives, patch asap | | 04:18 | Snail Mail Ransomware Scam | Ransomware imposters using physical letters, likely fake |

Takeaways for Listeners

Check out the new DShield ELK capabilities and blog post for honeypot data analysis.
Verify your AMD CPUs have the latest microcode patch—public exploits now available.
Patch VIM promptly against the TAR file vulnerability.
Warn executives of fake snail mail ransomware threats; educate them on verification.

Stay safe, keep your systems updated, and be alert for cybersecurity threats both digital and analog!

Loading summary

Transcript1 lines

[00:00]
A
Hello and welcome to the Thursday, March 6, 2025 edition of the Sandstorm Centers Stormcast. My name is Johannes Ulrich and today I'm recording from Baltimore, Maryland. GUI has done an amazing job with our Deshield honeypot, allowing you to run a Kibana interface, all data being stored in elasticsearch and with that making the data that your honeypot collects much more approachable. Now there is sadly always a lot of data. Well sadly or not so sad depending on how you look at it. But Guy today wrote a diary walking you a little bit through how to better get a handle at the data and finding events of interest to better understand what attackers are up to with your honeypot and well learn from it. Interesting blog post. And yes, if you do want to run the D Shield honeypot, please do so. We always like your data and with the ELK interface, well it also becomes much more interesting for you to actually look at the data. You may need a little bit more powerful system than just sort of your basic Raspberry PI in order to run all of this, the Google Bug Hunter team today released a lot of details, including working exploit code for a vulnerability that AMD patched a month ago. This vulnerability allows you to essentially update the microcode in your cpu. The microcode is routinely updated and it's often delivered with operating system updates like Microsoft Linux updates and such include new microcode for your cpu, but this update is supposed to be cryptographically signed. The problem with with AMD's implementation of this update procedure was that the hash function that they used, well, wasn't really as secure as it should be for this application. The patch a month ago did update it with a new proprietary hash function that appears to at least solve this problem. And with that now Google did release the the details about this vulnerability which would essentially allow you to jailbreak your cpu. Remember sort of the little demo that was released a month ago did essentially tell the CPU to always produce the same random number if you're using the CPUs random number generator. This is just sort of a little proof of concept demo, but with the additional code released today and such, well really up to the attacker's creativity what they would like your CPU to do. So definitely make sure that you are patching this issue. It's not necessarily something that's easy to patch, but the new details released today may make it easier also to check if your CPU has been updated. And then we have a critical security update for the popular Linux Editor vim. Or maybe not so popular if you never figured out how to exit Vim. This update fixes a recently added feature to vim, sort of one of those things very well. You always think of Vim as a relatively straightforward, simple editor, but it does have a ton of features. One of the features is to actually easily open and then edit files that are inside a TAR file. The problem here is that Vim, as it's opening these files from the TAR archive, is not properly verifying and validating the file names in the TAR archive, and that can then lead to code execution. So you still would need to trick a Linux user to open a file that you're providing them. But then again they may consider BIM safe, which of course it is not a that's why we have this update to vim. And the sort of appearance of VIM being like simple and safe may make it actually easier to trick an administrator to open a file in VIM than it is to open a file like Invert or Acrobat Reader and then GuidePoint Security ran into a real little bit weird and interesting twist on ransomware. Turns out there is a group that claims to the Bian Lian ransomware group or associated with it that actually sends regular postal mail to company executives threatening them with leaking data that they stole if they are not paying up a ransom. Apparently these are completely fake, these letters, so the attacker did not steal any data from you, they just hope to actually still get money. And I think one of the ideas here is by directly addressing these letters to executive who may not necessarily see a lot of the news about this ransomware group, they may bypass some of the more technical people in the company that would spot something like this as fake. At least as I said my take on it. No idea how successful this campaign is. And again, the letters are probably not related to the actual Pyongyang ransomware group. They're just some copycats that attempt sort of a new twist on this scare in the past. Sadly, these fake ransomware notes have been somewhat successful for I remember from a few years ago where 30% of the recipients of like emails and such claiming to come from ransomware groups have actually paid up. Well, that's it for today. Thanks for listening and as usual, please subscribe. We are also available via Alexa and on various other podcast platforms YouTube. Also, if you're enjoying a video version of this podcast, thanks and talk to you again tomorrow. Bye.