Summary3 min read

SANS Stormcast – Wednesday, February 26, 2025

Host: Johannes B. Ullrich
Main Topics: M365 Infostealer Botnet, OpenID Key Leaks, Malicious Medical Image Apps

Episode Overview

In this episode, Johannes B. Ullrich delivers a concise briefing on current cybersecurity threats and insights, focusing on:

A targeted botnet campaign against Microsoft 365 script/service accounts
The risks of leaking private keys via misconfigured OpenID servers
Chinese threat actors spreading backdoored DICOM medical image viewers

Key Discussion Points & Insights

1. M365 Infostealer Botnet Attack

[00:28 – 02:06]

Targeted Accounts:
- Attackers are now honing in on Microsoft 365 accounts used by automated scripts (service accounts), not regular user accounts.
- These accounts often lack basic security features such as two-factor authentication.
Vulnerability:
- Many such accounts rely on basic authentication (static username/password or API key).
Security Guidance:
- Recent NIST guidelines recommend phasing out API keys, largely due to rotation difficulties and persistent risk if compromised.
- OAuth is suggested as the standard for secure API/web service access, but it’s not immune to infostealer malware.
Mitigation Strategies:
- Separation of environments: Development and production environments should be siloed to limit the utility of any stolen development credentials.
- Canary tokens: Deploying these can help detect unauthorized use of stolen credentials.
- Security Scorecard shared indicators of compromise, but Johannes notes:
  
  "We all know them that they were out of date the moment they were put into that document."
  (Johannes B. Ullrich, [01:54])

2. OpenID Misconfiguration and Key Disclosure

[02:07 – 03:19]

Context:
- OpenID is often used for single sign-on and is closely related to OAuth.
- Each OpenID server publishes a configuration file with the public keys needed for signature verification.
Issue Uncovered:
- Research by Hanno Bock found some OpenID servers leaking private keys in their configuration—due to a misunderstanding or misconfiguration in symmetric vs. asymmetric crypto setups.
- Specifically, 9 out of the 100,000 largest web servers were found misconfigured (a low but significant number given the sample).
- Servers leaking symmetric keys make those keys public, drastically undermining security.
Advice:
- Review your own configurations: Any service using OpenID should ensure no private or symmetric keys are made accessible.
- Johannes emphasizes potential risk among lesser-known or infrequently audited servers:
  
  "Looks probably worse when you're looking at smaller setups that are not necessarily as prominent and as often probed as these top web servers."
  (Johannes B. Ullrich, [03:11])

3. Malicious DICOM Medical Image Viewers

[03:20 – 04:42]

Situation:
- Patients often receive medical images (like MRIs) in the DICOM format, alongside basic viewing software.
- Legitimate DICOM viewers are sometimes outdated, poorly designed, or hard to trust.
Threat:
- A Chinese APT group is backdooring DICOM viewers and distributing them via “random, more or less [legit]”** sites and app stores.
- Users searching for DICOM viewers may inadvertently download malicious versions.
Mitigation:
- Stick to official app stores for downloading medical imaging software, though even these may offer clunky or outdated tools.
- Remember to be wary of unfamiliar sources:
  
  "Hope I didn't end up with any backdoor software back then."
  (Johannes B. Ullrich, [04:35])

Memorable Quotes

"They're not sort of going after normal user accounts, but instead they're going after accounts used [by] automatic scripts."
— Johannes B. Ullrich, [00:28]
"API keys tend to be difficult to rotate. ... If you do need to design some kind of API and web services access, the standard method these days is often OAuth."
— Johannes B. Ullrich, [00:58]
"Some misconfigured servers are also offering private keys ... should not be leaked to the public."
— Johannes B. Ullrich, [02:30]
"Not sure what to tell you about how to fix this. I think your best bet is probably to stick with official app stores..."
— Johannes B. Ullrich, [04:37]

Timestamps for Key Segments

M365 Infostealer Botnet: [00:28 – 02:06]
OpenID Key Misconfiguration: [02:07 – 03:19]
Malicious Medical Image Apps: [03:20 – 04:42]

This episode is a succinct update on evolving authentication threats, configuration pitfalls, and the importance of vetting software, even in unexpected places like medical imaging. Johannes delivers actionable security insights for defenders of all levels.

Loading summary

Transcript1 lines

[00:00]
A
Hello and welcome to the Wednesday, February 26, 2025 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. Security Scorecard published a write up about a botnet that they have observed attacking Microsoft 365 accounts. And what's a little bit different here is that they're not sort of going after normal user accounts, but instead they're going after accounts used automatic scripts. And with that of course you often don't have the ability to do things like two factor authentication. In this particular case, they're attacking accounts that are using basic authentication, which means you typically have a static username and password, some kind of API key and well, recent NIST guidance for example, specifically suggested to move away from API keys. And one of the big reasons behind that was that API keys tend to be difficult to rotate. If you do need to design some kind of API and web services access, the standard method these days is often OAuth. Now OAuth is not really safe from some of these infostealer types, but in addition to that you probably also want to make sure that development and production environment are cleanly separated because infostealers tend to infect developers not so much in production environments and as such if an info stealer steals credentials from a developer then, well, they can't be used against the production environment. It may also be worthwhile looking into like canary tokens here. That's a nice little trick that can help you identify some of these attacks. Now, Security Scorecard did publish a bunch of indicators of compromise here with the report, but we all know them that they were out of date the moment they were put into that document and sticking with authentication here for another story, there is a blog post by Hanno Burke looking into misconfigured OpenID setups. OpenID, well, I just mentioned OAuth and the two are related is commonly used as a standard in order to support single sign on. And one interesting thing about OpenID is as part of the standard there's a standard URL at which you retrieve the configuration. For an OpenID server, this configuration file does include public keys or well, it should include public keys in order to verify any assertions that were signed by this particular OpenID server. However, as Hano found out, some misconfigured servers are also offering private keys. This is a little bit based on sort of the flexibility of OpenID. It can use symmetric as well as asymmetric signatures. Asymmetric signatures. You only get the public key, well symmetric ones, you get the key which of course is public and private and should not be leaked to the public. But yes, misconfigurations happen. And Hanno did take a look at the I believe it was the 100,000 biggest files based on one of the standard top web server lists. Only found nine that were misconfigured. Still nine servers out of the 100,000 most popular web servers. And of course not all of them offer single sign on with OpenID, were misconfigured and did leak private keys. Looks probably worse when you're looking at smaller setups that are not necessarily as prominent and as often probed as these top web servers. And definitely something that you do want to review in your own OpenID configuration. And if you were ever subjected to any medical imaging you may have been given by your doctor or the lab a CD or DVD with the image file. Well, that image file was likely in a format called dicom, and DICOM is a standard medical image format. And then of course you wanted to look at the images yourself. Well, I remember doing this myself a couple years back and the image viewers I found were kind of hokey. They didn't really look sort of like real software per se, a little bit sort of antiquated in their UI and looks like that Chinese threat actor now is taking advantage of that by offering backdoored image viewers for the DICOM format. Forcecout has a little write up about this, but essentially this group is publishing malicious DICOM viewers that unsuspecting users that like I did years ago, just search Google for a random more or less DICOM viewer, maybe search some of the app stores, then end up with these malicious versions. Not sure what to tell you about how to fix this. I think your best bet is probably to stick with official app stores for some of these applications. Even though even those applications, like I said, the UI looks a little bit clumsy, not sort of as polished as you usually expected from commercial software. At least the software I ended up with. Hope I didn't end up with any backdoor software back then. Well, and this is it for today. Thanks for listening and talk to you again tomorrow. Bye.