SANS Stormcast Daily Cyber Security Podcast: March 5, 2025

Host: Johannes B. Ullrich
Location: Baltimore, Maryland

Episode Overview

This episode delivers a concise rundown of the day's most pressing cybersecurity events, ranging from novel credential hunting tactics and tool updates, to several important vulnerabilities and emergent scam techniques. The focus is on actionable intelligence for security professionals, with timely advice on patching and vigilance against evolving threats.

Key Topics & Discussion Points

1. Emergence of SMTP Credential Scanning

Timestamp: 00:13 – 01:30

• Recent network scan activity has revealed a host persistently searching for leaked credential files (e.g., .env files) across the internet.
  • Notably, two new file types are being targeted: smtpToken.json and smtpkeys.
  • Both likely contain SMTP server credentials, though it’s not absolutely clear which applications use them. A Google search links these artifacts to the "Janssen" identity management project.
• The scanning system appears to originate from a server linked to a Romanian distillery—most likely a compromised asset.

  “Interesting pattern... a host that is scanning routinely... for leak credential files... they added some new files to their repertoire: smtpToken.json and smtpkeys.”
  — Johannes B. Ullrich [00:13]

Notable Quote

“I assume it’s just another compromised system and it’s going after various credential files for about a month now.” — Johannes B. Ullrich [01:13]

2. Tool Update: mac-robber.py

Timestamp: 01:30 – 02:00

• Jim posted an update to his Python-based forensic tool, mac-robber.py, a reimplementation of the Sleuthkit utility.
  • Latest version addresses issues related to symlink handling.

3. ADSelfService Plus Vulnerability

Timestamp: 02:01 – 02:50

• Focuses on a session management flaw in ADSelfService Plus, an identity management platform (where "AD" stands for Active Directory).
  • The flaw allows attackers to glean information about enrolled users without authentication.
  • Two-factor authentication (2FA) mitigates this vulnerability.
  • A patch is now available and should be promptly applied.

    “This vulnerability is mitigated if you have two-factor authentication implemented, which kind of sounds like a good idea anyway for a tool like this.”
    — Johannes B. Ullrich [02:30]

4. Android Patch Day – March

Timestamp: 02:51 – 03:40

• Google released its March Android security updates.
  • Two privilege escalation vulnerabilities (in Framework and Kernel) have already seen targeted exploitation.
  • Multiple critical issues remain unexploited but could be weaponized soon.
  • Urged immediate application of patches as soon as they become available.

    “As these updates become available for your particular phone, you probably do want to apply them rather quickly.” — Johannes B. Ullrich [03:22]

5. New PayPal ‘No-Code’ Checkout Phishing Scam

Timestamp: 03:41 – 04:40

• Malwarebytes warns of sophisticated phishing leveraging PayPal’s no-code checkout feature:
  • Attackers create custom pages on the PayPal.com domain. Instead of legitimate checkouts, pages mimic PayPal support or offer scam phone numbers.
  • These pages are promoted via Google Ads, making them seem highly credible.
  • Other similar services may also be vulnerable.

    “It’s using the paypal.com domain and then they are advertising these pages via Google Ads. This makes it really difficult for a victim to figure out that this is not a legitimate PayPal page... Everything is really hosted on PayPal’s website; it’s just that the attacker added their own text to that particular page.” — Johannes B. Ullrich [04:23]

6. Critical VMware vCenter Vulnerabilities

Timestamp: 04:41 – 05:25

• Broadcom released urgent patches for VMware vCenter, fixing three vulnerabilities (CVSS up to 9.3), including a "VMware Escape" flaw:
  • Allows malicious VMs to compromise the entire infrastructure.
  • These are already being exploited in the wild.
  • Immediate patching is mandatory.
  • Exposing vCenter to the public internet is especially discouraged.

    “The worst outcome here is VMware Escape. So if an attacker is able to take over one of your virtual machines, they own your infrastructure.” — Johannes B. Ullrich [05:00]

Memorable Quotes

• On the expanding file scan threat:
  “Googling comes up with the Janssen project that is actually sort of a set of identity management components and part of their SMTP server configuration refers to these files.” — Johannes B. Ullrich [00:43]

• On phishing innovation:
  “I wouldn’t be surprised if other similar services aren’t vulnerable to this attack as well.” — Johannes B. Ullrich [04:37]

• On urgency of VMware patching:
  “You definitely must patch now. But then again, you probably shouldn’t expose vcenter to the world.” — Johannes B. Ullrich [05:15]

Summary of Action Items

• Investigate scanning for leaked SMTP credential files — Particularly smtpToken.json and smtpkeys
• Update mac-robber.py tool for improved forensic artifact collection
• Patch ADSelfService Plus immediately; enable 2FA if not already in place
• Apply the March Android security updates to all eligible devices ASAP
• Be wary of PayPal checkout support scams — educate staff and users on identifying legitimate support channels
• Immediately patch VMware vCenter deployments and avoid exposing them to the internet