SANS Stormcast - February 25, 2025

Host: Johannes B. Ullrich
Main Theme: Rapid-fire summary of current and critical cybersecurity news, tools, and vulnerabilities.

Episode Overview

This episode focuses on several timely topics in cybersecurity, including updates to the Unfurl URL parsing tool, a major change in Google’s approach to two-factor authentication, a novel PayPal phishing scam, and vulnerabilities in Exim mail server, libXML, and Parallels virtualization tool.

Key Discussion Points & Insights

1. Unfurl Tool Update

[00:15–01:10]

Unfurl, developed by Ryan Benson, is a tool to break apart URLs into their components for analysis.
Goes beyond simply splitting — recognizes timestamps within URLs and converts them for easy interpretation.
The latest release of Unfurl fixes bugs and introduces support for parsing BlueSky URLs.

“URLs can come in many forms and shapes, but Unfurl goes beyond just sort of explaining hey, this is the page. These are parameters—it, for example, recognizes if part of the URL is a timestamp and then will convert it. So really handy if you try to understand what the URL is all about.”
— Johannes B. Ullrich, [00:35]

2. Google Moves Away from SMS 2FA

[01:10–02:17]

Google is discontinuing SMS and phone calls as two-factor authentication (2FA) options for Gmail and related services.
This move pushes users toward app-based authentication and passkeys.
Google is promoting an improved app-based system: users scan a QR code with a device already logged into Google for seamless authentication—aimed at balancing security and usability.

“Google...has sort of been pushing people away from SMS for a while, but this push will now become stronger in the sense that SMS will no longer be supported at all, or phone calls for that matter.”
— Johannes B. Ullrich, [01:22]

“Google sort of tries to find a little bit in between solution here that’s user friendly in the form of a QR code, nothing really to enter, but still provides the security to counter authentication fatigue.”
— Johannes B. Ullrich, [02:04]

3. PayPal Phishing Scam Exploiting Address Change Notifications

[02:17–03:17]

Attackers trigger genuine PayPal emails by updating the shipping address with a scamming message, like claiming the recipient bought an expensive MacBook.
Since the email is legitimate (passes DKIM, DMARC, SPF), it gains user trust.
The fraudulent address includes a prompt to call a number or click a link—leading to phishing or tech support scams.
Highlights difficulty in validating what data users can input into things like address fields.

“The attacker then changed part of the address, part of the new updated address, to a message that states, ‘Hey, you just purchased a MacBook for a lot of money, and if you think you didn’t do that, please call that 800 number or click on that link,’ which then turns out to be a tech support scam or some kind of phishing malware site that you’re being tricked to click on.”
— Johannes B. Ullrich, [02:54]

“It’s probably possible with other sites as well, where an attacker can trigger an email...where the attacker is able to modify a good part of the body of the email, like in this case, the address.”
— Johannes B. Ullrich, [03:10]

4. Exim Mail Server SQL Injection Vulnerability

[03:17–04:14]

Vulnerability in Exim mail server relates to its use of SQLite as a backend database.
Enabled "ETRN" command leaves servers open to straightforward, proof-of-concept SQL injection.
Potentially exposes all data stored within the SQLite backend.
Most Exim servers have ETRN enabled by default for delivery efficiency.

“If you’re using SQLite as a backend for Exim, then you may be vulnerable, if you have the ETRN ... enabled, which...is usually enabled in mail servers...And that’s where the SQL injection happens.”
— Johannes B. Ullrich, [03:43]

5. Parallels (Mac Virtualization) Privilege Escalation Vulnerability

[04:14–04:38]

Unpatched privilege escalation flaw in Parallels on Mac.
Details disclosed last week; users urged to check supporting documentation.

Notable Quotes & Memorable Moments

On Unfurl’s Utility:
“URLs can come in many forms and shapes, but Unfurl...recognizes if part of the URL is a timestamp and then will convert it. So really handy if you try to understand what the URL is all about.”
— Johannes B. Ullrich, [00:35]
On Google 2FA Evolution:
“Google sort of tries to find a little bit in between solution here that’s user friendly in the form of a QR code, nothing really to enter, but still provides the security to counter authentication fatigue.”
— [02:04]
On the Novel PayPal Phishing Tactic:
“The attacker then changed part of the address...to a message that states, ‘Hey, you just purchased a MacBook for a lot of money, and if you think you didn’t do that, please call that 800 number or click on that link,’ which then turns out to be a tech support scam...”
— [02:54]

Summary Table of Vulnerabilities Discussed

| Topic | Vulnerability Type | Affected Services | Key Segment | |-----------------|---------------------|-------------------------|----------------------| | Exim Mail Server| SQL Injection | SMTP with SQLite backend| [03:17–04:14] | | Parallels | Privilege Escalation| macOS virtualization | [04:14–04:38] |

Takeaways

Stay alert for creative phishing tactics leveraging legitimate notification emails.
Administrators should review 2FA options and update Exim configurations, particularly if using SQLite.
Mac users running Parallels are encouraged to follow up on disclosed but unpatched vulnerabilities.

For more info: Submit feedback or questions via the SANS ISC Contact Form.

SANS Stormcast - February 25, 2025

Host: Johannes B. Ullrich
Main Theme: Rapid-fire summary of current and critical cybersecurity news, tools, and vulnerabilities.

Episode Overview

Key Discussion Points & Insights

1. Unfurl Tool Update

[00:15–01:10]

Unfurl, developed by Ryan Benson, is a tool to break apart URLs into their components for analysis.
Goes beyond simply splitting — recognizes timestamps within URLs and converts them for easy interpretation.
The latest release of Unfurl fixes bugs and introduces support for parsing BlueSky URLs.

“URLs can come in many forms and shapes, but Unfurl goes beyond just sort of explaining hey, this is the page. These are parameters—it, for example, recognizes if part of the URL is a timestamp and then will convert it. So really handy if you try to understand what the URL is all about.”
— Johannes B. Ullrich, [00:35]

2. Google Moves Away from SMS 2FA

[01:10–02:17]

Google is discontinuing SMS and phone calls as two-factor authentication (2FA) options for Gmail and related services.
This move pushes users toward app-based authentication and passkeys.
Google is promoting an improved app-based system: users scan a QR code with a device already logged into Google for seamless authentication—aimed at balancing security and usability.

“Google...has sort of been pushing people away from SMS for a while, but this push will now become stronger in the sense that SMS will no longer be supported at all, or phone calls for that matter.”
— Johannes B. Ullrich, [01:22]

“Google sort of tries to find a little bit in between solution here that’s user friendly in the form of a QR code, nothing really to enter, but still provides the security to counter authentication fatigue.”
— Johannes B. Ullrich, [02:04]

3. PayPal Phishing Scam Exploiting Address Change Notifications

[02:17–03:17]

Attackers trigger genuine PayPal emails by updating the shipping address with a scamming message, like claiming the recipient bought an expensive MacBook.
Since the email is legitimate (passes DKIM, DMARC, SPF), it gains user trust.
The fraudulent address includes a prompt to call a number or click a link—leading to phishing or tech support scams.
Highlights difficulty in validating what data users can input into things like address fields.

“The attacker then changed part of the address, part of the new updated address, to a message that states, ‘Hey, you just purchased a MacBook for a lot of money, and if you think you didn’t do that, please call that 800 number or click on that link,’ which then turns out to be a tech support scam or some kind of phishing malware site that you’re being tricked to click on.”
— Johannes B. Ullrich, [02:54]

“It’s probably possible with other sites as well, where an attacker can trigger an email...where the attacker is able to modify a good part of the body of the email, like in this case, the address.”
— Johannes B. Ullrich, [03:10]

4. Exim Mail Server SQL Injection Vulnerability

[03:17–04:14]

Vulnerability in Exim mail server relates to its use of SQLite as a backend database.
Enabled "ETRN" command leaves servers open to straightforward, proof-of-concept SQL injection.
Potentially exposes all data stored within the SQLite backend.
Most Exim servers have ETRN enabled by default for delivery efficiency.

“If you’re using SQLite as a backend for Exim, then you may be vulnerable, if you have the ETRN ... enabled, which...is usually enabled in mail servers...And that’s where the SQL injection happens.”
— Johannes B. Ullrich, [03:43]

5. Parallels (Mac Virtualization) Privilege Escalation Vulnerability

[04:14–04:38]

Unpatched privilege escalation flaw in Parallels on Mac.
Details disclosed last week; users urged to check supporting documentation.

Notable Quotes & Memorable Moments

On Unfurl’s Utility:
“URLs can come in many forms and shapes, but Unfurl...recognizes if part of the URL is a timestamp and then will convert it. So really handy if you try to understand what the URL is all about.”
— Johannes B. Ullrich, [00:35]
On Google 2FA Evolution:
“Google sort of tries to find a little bit in between solution here that’s user friendly in the form of a QR code, nothing really to enter, but still provides the security to counter authentication fatigue.”
— [02:04]
On the Novel PayPal Phishing Tactic:
“The attacker then changed part of the address...to a message that states, ‘Hey, you just purchased a MacBook for a lot of money, and if you think you didn’t do that, please call that 800 number or click on that link,’ which then turns out to be a tech support scam...”
— [02:54]

Summary Table of Vulnerabilities Discussed

Takeaways

Stay alert for creative phishing tactics leveraging legitimate notification emails.
Administrators should review 2FA options and update Exim configurations, particularly if using SQLite.
Mac users running Parallels are encouraged to follow up on disclosed but unpatched vulnerabilities.

For more info: Submit feedback or questions via the SANS ISC Contact Form.

wavePod

SANS Stormcast Tuesday Feb 25th: Unfurl Updates; Google Ditches SMS; Paypal Phish; Exim, libXML, Parallels Vuln

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

SANS Stormcast - February 25, 2025

Episode Overview

Key Discussion Points & Insights

1. Unfurl Tool Update

2. Google Moves Away from SMS 2FA

3. PayPal Phishing Scam Exploiting Address Change Notifications

4. Exim Mail Server SQL Injection Vulnerability

5. Parallels (Mac Virtualization) Privilege Escalation Vulnerability

Notable Quotes & Memorable Moments

Summary Table of Vulnerabilities Discussed

Takeaways

Summary

SANS Stormcast - February 25, 2025

Episode Overview

Key Discussion Points & Insights

1. Unfurl Tool Update

2. Google Moves Away from SMS 2FA

3. PayPal Phishing Scam Exploiting Address Change Notifications

4. Exim Mail Server SQL Injection Vulnerability

5. Parallels (Mac Virtualization) Privilege Escalation Vulnerability

Notable Quotes & Memorable Moments

Summary Table of Vulnerabilities Discussed

Takeaways