← SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS Stormcast Tuesday, December 9th, 2025: nanoKVM Vulnerabilities; Ghostframe Phishing; WatchGuard Advisory
00:06:26
SANS Stormcast Tuesday, December 9th, 2025: nanoKVM Vulnerabilities; Ghostframe Phishing; WatchGuard Advisory
Loading summary
Transcript1 lines
- [00:05]
A
Hello and welcome to the Tuesday, December 9, 2025 edition of the SANS Internet Storm Centers Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Grad certificate program in Purple Team Operations. I would imagine that many of you listening have seen a device being advertised, the Nano kvm. KVM stands Keyboard, Video and Mouse Switcher, which is a little IP accessible device that gives you remote access to the keyboard, video and mouse of a particular device that you connect it to. Now this device does not scream secure, it screams cheap. And it's advertised as the cheapest possible device to accomplish this IP access to your keyboard and video screen. So a little cheap way to get basically remote access to a system even if like power fails and the like. Which is definitely something nice to have. And I have actually one here at home and I've been playing with it and definitely it works. But of course the security aspect here comes in in particular since the device has had a number of glaring security faults like bad hashing and encryption of passwords. Things like an SSH server is enabled by default with default password. And researchers had had a hard time to convince the maker to fix some of these vulnerabilities. The latest issue is that the entire firmware update process is insecure, in particular the update of a binary blob that's sort of the proprietary part of these devices. So that of course opens up the possibility of evil updates being slipped in here. The other thing that came out this week was that the motherboard of the device includes a microphone with no obvious reason for that microphone to be here. Now of course there were a lot of suggestions about spying and such. There may actually be a benign explanation for the microphone. This company also makes a little system on a chip, sort of a single board computer that's based on the exactly same motherboard as this kvm. The KVM was really just sort of an application of this single board computer. And yes, that single board computer does have a microphone. The microphone is advertised in the product description, so it's not something that's hidden, even though of course it's a little bit hard to find based on it being a really, really small sort of surface mounted microphone on the board. You can always well remove the microphone even though it's a little bit tricky because of the small size of it. There's also now an effort underway to create sort of a more third party open source version of the firmware that's based on standard Linux distribution. So if you don't trust the manufacture, you can always switch to one of those solutions. Haven't really tested them yet to see how reliable they are and how well they function compared to the official firmware. But then again, remember, never ever expose these devices to the Internet. And Barracuda is reporting about a new fishing kit that they're calling Ghost Frame that uses iframes in order to evade detection. The way this particular phishing kit works is that the phishing mail and web page itself is just simple benign HTML that's not triggering any kind of phishing detection rules. Then inside that HTML page, an iframe loads the actual login part of the phishing page. So that way it's not being detected as easily by any defensive mechanisms. The other little trick here is that this iframe loads this page from random, or not really random, but the unique subdomain. So the attacker uses a particular subdomain and then just has a prefix, a long random looking string which basically encodes the recipient. And that way they can load the right login page for the right victim in a scalable automated manner. That's a little bit like some of these phishing sites where you sort of get automatically your company logo also being displayed by based on some URL parameters. In this case they're not using URL parameters, they're just using the first label of the host name. And watchguard did release an update for its Firebox appliance. This update fixes 10 different vulnerabilities. Five of them are rated high, none of them is rated critical. There was one vulnerability that sort of scared me a little bit initially when I read the title, and that was like memory corruption in the Ike daemon that's actually component has been vulnerable in various IPSEC instances in the past. In this particular case, an unauthenticated attacker may cause a denial of service, but again, only a denial of service and only in fairly specific configurations. So nothing I would be too worried about. There's an interesting XPath vulnerability that I think could actually turn out to be more severe. It could lead to internal configuration leaks and that does not require authentication in order to exploit it. So that may be one of those vulnerabilities where the right attacker that's a bit more creative in what they're looking for can actually cause some damage. So apply the update. Again, nothing critical here, but something probably you want to get patched by the end of next week. Well, and that's it for today, so thanks for listening. And one special request. If you you are using the Apple Podcast app in order to listen to this podcast, would appreciate a review. So please and thank you and talk to you again tomorrow. Bye.