SANS Stormcast Podcast Summary – December 9th, 2025

Host: Johannes B. Ullrich
Main Theme:
A concise review of important security events, focusing on nanoKVM device vulnerabilities, a novel Ghostframe phishing campaign, and a WatchGuard security advisory.

nanoKVM Vulnerabilities

Overview:
nanoKVM, an inexpensive remote KVM (Keyboard, Video, Mouse) switch, is highlighted as a device with significant and ongoing security problems.

Key Points:

• Device Purpose:
  nanoKVM provides remote access to a system’s keyboard, video, and mouse via IP – even surviving power outages ([00:33]).

• Security Concerns:

  • “This device does not scream secure, it screams cheap.” – Johannes B. Ullrich ([00:18])
  • Critical security weaknesses identified:
    • Poor password hashing and encryption.
    • Default enablement of SSH server with default password.
  • Vendor is slow to address vulnerabilities:
    “Researchers had had a hard time to convince the maker to fix some of these vulnerabilities.” ([01:14])
  • Firmware Update Flaw:
    • Firmware updates, especially for the proprietary binary blob, are insecure.
    • Potential for malicious (‘evil’) updates to be installed ([01:27]).

• Unexpected Microphone:

  • Device motherboard features a small, surface-mounted microphone, raising privacy concerns ([01:43]).
  • Possible benign reason: The board is repurposed from a single-board computer variant where a microphone is an advertised feature.
    • “There may actually be a benign explanation for the microphone.” ([01:46])
  • Physical removal of microphone possible but tricky due to size.

• Open-Source Solutions:

  • Ongoing efforts to develop alternate, open-source firmware based on Linux for security-conscious users.
  • Johannes has not tested these alternatives for reliability ([02:26]).

• Best Practice:

  • “Remember, never ever expose these devices to the Internet.” ([02:36])

Ghostframe Phishing Campaign

Overview:
Barracuda reports a new phishing kit dubbed “Ghost Frame” which evades traditional detection by leveraging deceptive use of iframes.

Key Points:

• Detection Evasion:

  • Phishing emails and web pages use benign HTML to pass automated detection.
  • The actual malicious login content is loaded via an iframe ([02:48]).

• Personalization and Automation:

  • Iframe sources use unique subdomains with long, random prefixes encoding the recipient.
    • “...they can load the right login page for the right victim in a scalable automated manner.” ([03:22])
  • Comparable to other phishing tactics where company logos are displayed dynamically, but here achieved via hostname manipulation, not just URL parameters.

WatchGuard Firebox Vulnerabilities

Overview:
WatchGuard issues a security update for its Firebox appliance, addressing a spectrum of vulnerabilities.

Key Points:

• Vulnerability Breakdown:

  • Total of 10 vulnerabilities patched, 5 rated high, none critical ([04:03]).
  • Noteworthy issue:
    • Memory corruption in the IKE daemon, previously a source of vulnerabilities in IPSEC systems.
    • In this instance, it allows only a denial of service (DoS) attack, requiring specific configurations ([04:16]).
    • “...only a denial of service and only in fairly specific configurations. So nothing I would be too worried about.” – Johannes B. Ullrich ([04:29])

• Potentially Underestimated Risk:

  • XPath vulnerability allowing unauthenticated attackers to leak internal configuration.
    • “That does not require authentication in order to exploit it.” ([04:38])
    • “...could lead to internal configuration leaks...” ([04:38])
    • More creative attackers could exploit this further; highlighted as noteworthy.

• Recommendation:

  • No immediate critical need, but should patch by end of next week.

Notable Quotes

• On nanoKVM:

  • “This device does not scream secure, it screams cheap.” ([00:18])
  • “Researchers had had a hard time to convince the maker to fix some of these vulnerabilities.” ([01:14])
  • “Remember, never ever expose these devices to the Internet.” ([02:36])

• On Ghostframe:

  • “So that way it's not being detected as easily by any defensive mechanisms.” ([02:58])
  • “...they can load the right login page for the right victim in a scalable automated manner.” ([03:22])

• On WatchGuard's XPath vulnerability:

  • “It could lead to internal configuration leaks and that does not require authentication in order to exploit it.” ([04:38])
  • “So apply the update. Again, nothing critical here, but something probably you want to get patched by the end of next week.” ([04:52])

Timestamps for Important Segments

| Time | Topic | |--------|----------------------------| | 00:04 | Introduction | | 00:18 | nanoKVM security concerns | | 01:27 | Firmware update insecurities| | 01:43 | Microphone discovery | | 02:26 | Open-source firmware effort| | 02:36 | Best practice—do not expose nanoKVM to Internet| | 02:48 | Ghostframe phishing attack | | 03:22 | Automated phishing targeting| | 04:03 | WatchGuard update overview | | 04:16 | IKE daemon vulnerability | | 04:38 | XPath vulnerability details| | 04:52 | Patch recommendation |

Overall Tone & Takeaway

• Tone: Practical, slightly wry, with clear security skepticism and actionable insights.
• Core Message:
  • Cheap remote management hardware poses serious risks and should never be Internet-exposed; pursue open-source alternatives with care.
  • Phishing operations are getting stealthier and harder to detect.
  • Keep up with security advisories—patch, especially when unauthenticated vulnerabilities might expose sensitive info.

“So apply the update. Again, nothing critical here, but something probably you want to get patched by the end of next week.” – Johannes B. Ullrich ([04:52])