SANS Stormcast – Wednesday, February 26, 2025

Host: Johannes B. Ullrich
Main Topics: M365 Infostealer Botnet, OpenID Key Leaks, Malicious Medical Image Apps

Episode Overview

In this episode, Johannes B. Ullrich delivers a concise briefing on current cybersecurity threats and insights, focusing on:

A targeted botnet campaign against Microsoft 365 script/service accounts
The risks of leaking private keys via misconfigured OpenID servers
Chinese threat actors spreading backdoored DICOM medical image viewers

Key Discussion Points & Insights

1. M365 Infostealer Botnet Attack

[00:28 – 02:06]

Targeted Accounts:
- Attackers are now honing in on Microsoft 365 accounts used by automated scripts (service accounts), not regular user accounts.
- These accounts often lack basic security features such as two-factor authentication.
Vulnerability:
- Many such accounts rely on basic authentication (static username/password or API key).
Security Guidance:
- Recent NIST guidelines recommend phasing out API keys, largely due to rotation difficulties and persistent risk if compromised.
- OAuth is suggested as the standard for secure API/web service access, but it’s not immune to infostealer malware.
Mitigation Strategies:
- Separation of environments: Development and production environments should be siloed to limit the utility of any stolen development credentials.
- Canary tokens: Deploying these can help detect unauthorized use of stolen credentials.
- Security Scorecard shared indicators of compromise, but Johannes notes:
  
  "We all know them that they were out of date the moment they were put into that document."
  (Johannes B. Ullrich, [01:54])

2. OpenID Misconfiguration and Key Disclosure

[02:07 – 03:19]

Context:
- OpenID is often used for single sign-on and is closely related to OAuth.
- Each OpenID server publishes a configuration file with the public keys needed for signature verification.
Issue Uncovered:
- Research by Hanno Bock found some OpenID servers leaking private keys in their configuration—due to a misunderstanding or misconfiguration in symmetric vs. asymmetric crypto setups.
- Specifically, 9 out of the 100,000 largest web servers were found misconfigured (a low but significant number given the sample).
- Servers leaking symmetric keys make those keys public, drastically undermining security.
Advice:
- Review your own configurations: Any service using OpenID should ensure no private or symmetric keys are made accessible.
- Johannes emphasizes potential risk among lesser-known or infrequently audited servers:
  
  "Looks probably worse when you're looking at smaller setups that are not necessarily as prominent and as often probed as these top web servers."
  (Johannes B. Ullrich, [03:11])

3. Malicious DICOM Medical Image Viewers

[03:20 – 04:42]

Situation:
- Patients often receive medical images (like MRIs) in the DICOM format, alongside basic viewing software.
- Legitimate DICOM viewers are sometimes outdated, poorly designed, or hard to trust.
Threat:
- A Chinese APT group is backdooring DICOM viewers and distributing them via “random, more or less [legit]”** sites and app stores.
- Users searching for DICOM viewers may inadvertently download malicious versions.
Mitigation:
- Stick to official app stores for downloading medical imaging software, though even these may offer clunky or outdated tools.
- Remember to be wary of unfamiliar sources:
  
  "Hope I didn't end up with any backdoor software back then."
  (Johannes B. Ullrich, [04:35])

Memorable Quotes

"They're not sort of going after normal user accounts, but instead they're going after accounts used [by] automatic scripts."
— Johannes B. Ullrich, [00:28]
"API keys tend to be difficult to rotate. ... If you do need to design some kind of API and web services access, the standard method these days is often OAuth."
— Johannes B. Ullrich, [00:58]
"Some misconfigured servers are also offering private keys ... should not be leaked to the public."
— Johannes B. Ullrich, [02:30]
"Not sure what to tell you about how to fix this. I think your best bet is probably to stick with official app stores..."
— Johannes B. Ullrich, [04:37]

Timestamps for Key Segments

M365 Infostealer Botnet: [00:28 – 02:06]
OpenID Key Misconfiguration: [02:07 – 03:19]
Malicious Medical Image Apps: [03:20 – 04:42]

This episode is a succinct update on evolving authentication threats, configuration pitfalls, and the importance of vetting software, even in unexpected places like medical imaging. Johannes delivers actionable security insights for defenders of all levels.

SANS Stormcast – Wednesday, February 26, 2025

Host: Johannes B. Ullrich
Main Topics: M365 Infostealer Botnet, OpenID Key Leaks, Malicious Medical Image Apps

Episode Overview

In this episode, Johannes B. Ullrich delivers a concise briefing on current cybersecurity threats and insights, focusing on:

A targeted botnet campaign against Microsoft 365 script/service accounts
The risks of leaking private keys via misconfigured OpenID servers
Chinese threat actors spreading backdoored DICOM medical image viewers

Key Discussion Points & Insights

1. M365 Infostealer Botnet Attack

[00:28 – 02:06]

Targeted Accounts:
- Attackers are now honing in on Microsoft 365 accounts used by automated scripts (service accounts), not regular user accounts.
- These accounts often lack basic security features such as two-factor authentication.
Vulnerability:
- Many such accounts rely on basic authentication (static username/password or API key).
Security Guidance:
- Recent NIST guidelines recommend phasing out API keys, largely due to rotation difficulties and persistent risk if compromised.
- OAuth is suggested as the standard for secure API/web service access, but it’s not immune to infostealer malware.
Mitigation Strategies:
- Separation of environments: Development and production environments should be siloed to limit the utility of any stolen development credentials.
- Canary tokens: Deploying these can help detect unauthorized use of stolen credentials.
- Security Scorecard shared indicators of compromise, but Johannes notes:
  
  "We all know them that they were out of date the moment they were put into that document."
  (Johannes B. Ullrich, [01:54])

2. OpenID Misconfiguration and Key Disclosure

[02:07 – 03:19]

Context:
- OpenID is often used for single sign-on and is closely related to OAuth.
- Each OpenID server publishes a configuration file with the public keys needed for signature verification.
Issue Uncovered:
- Research by Hanno Bock found some OpenID servers leaking private keys in their configuration—due to a misunderstanding or misconfiguration in symmetric vs. asymmetric crypto setups.
- Specifically, 9 out of the 100,000 largest web servers were found misconfigured (a low but significant number given the sample).
- Servers leaking symmetric keys make those keys public, drastically undermining security.
Advice:
- Review your own configurations: Any service using OpenID should ensure no private or symmetric keys are made accessible.
- Johannes emphasizes potential risk among lesser-known or infrequently audited servers:
  
  "Looks probably worse when you're looking at smaller setups that are not necessarily as prominent and as often probed as these top web servers."
  (Johannes B. Ullrich, [03:11])

3. Malicious DICOM Medical Image Viewers

[03:20 – 04:42]

Situation:
- Patients often receive medical images (like MRIs) in the DICOM format, alongside basic viewing software.
- Legitimate DICOM viewers are sometimes outdated, poorly designed, or hard to trust.
Threat:
- A Chinese APT group is backdooring DICOM viewers and distributing them via “random, more or less [legit]”** sites and app stores.
- Users searching for DICOM viewers may inadvertently download malicious versions.
Mitigation:
- Stick to official app stores for downloading medical imaging software, though even these may offer clunky or outdated tools.
- Remember to be wary of unfamiliar sources:
  
  "Hope I didn't end up with any backdoor software back then."
  (Johannes B. Ullrich, [04:35])

Memorable Quotes

"They're not sort of going after normal user accounts, but instead they're going after accounts used [by] automatic scripts."
— Johannes B. Ullrich, [00:28]
"API keys tend to be difficult to rotate. ... If you do need to design some kind of API and web services access, the standard method these days is often OAuth."
— Johannes B. Ullrich, [00:58]
"Some misconfigured servers are also offering private keys ... should not be leaked to the public."
— Johannes B. Ullrich, [02:30]
"Not sure what to tell you about how to fix this. I think your best bet is probably to stick with official app stores..."
— Johannes B. Ullrich, [04:37]

Timestamps for Key Segments

M365 Infostealer Botnet: [00:28 – 02:06]
OpenID Key Misconfiguration: [02:07 – 03:19]
Malicious Medical Image Apps: [03:20 – 04:42]

wavePod

SANS Stormcast Wednesday Feb 26th: M365 Infostealer Botnet; Mixing OpenID Keys; Malicious Medical Image Apps

Powered by Wave AI

Summary

SANS Stormcast – Wednesday, February 26, 2025

Episode Overview

Key Discussion Points & Insights

1. M365 Infostealer Botnet Attack

2. OpenID Misconfiguration and Key Disclosure

3. Malicious DICOM Medical Image Viewers

Memorable Quotes

Timestamps for Key Segments

Summary

SANS Stormcast – Wednesday, February 26, 2025

Episode Overview

Key Discussion Points & Insights

1. M365 Infostealer Botnet Attack

2. OpenID Misconfiguration and Key Disclosure

3. Malicious DICOM Medical Image Viewers

Memorable Quotes

Timestamps for Key Segments