Summary4 min read

SANS Stormcast Daily Cyber Security Podcast: March 5, 2025

Host: Johannes B. Ullrich
Location: Baltimore, Maryland

Episode Overview

This episode delivers a concise rundown of the day's most pressing cybersecurity events, ranging from novel credential hunting tactics and tool updates, to several important vulnerabilities and emergent scam techniques. The focus is on actionable intelligence for security professionals, with timely advice on patching and vigilance against evolving threats.

Key Topics & Discussion Points

1. Emergence of SMTP Credential Scanning

Timestamp: 00:13 – 01:30

Recent network scan activity has revealed a host persistently searching for leaked credential files (e.g., .env files) across the internet.
- Notably, two new file types are being targeted: smtpToken.json and smtpkeys.
- Both likely contain SMTP server credentials, though it’s not absolutely clear which applications use them. A Google search links these artifacts to the "Janssen" identity management project.
The scanning system appears to originate from a server linked to a Romanian distillery—most likely a compromised asset.

“Interesting pattern... a host that is scanning routinely... for leak credential files... they added some new files to their repertoire: smtpToken.json and smtpkeys.”
— Johannes B. Ullrich [00:13]

Notable Quote

“I assume it’s just another compromised system and it’s going after various credential files for about a month now.” — Johannes B. Ullrich [01:13]

2. Tool Update: mac-robber.py

Timestamp: 01:30 – 02:00

Jim posted an update to his Python-based forensic tool, mac-robber.py, a reimplementation of the Sleuthkit utility.
- Latest version addresses issues related to symlink handling.

3. ADSelfService Plus Vulnerability

Timestamp: 02:01 – 02:50

Focuses on a session management flaw in ADSelfService Plus, an identity management platform (where "AD" stands for Active Directory).
- The flaw allows attackers to glean information about enrolled users without authentication.
- Two-factor authentication (2FA) mitigates this vulnerability.
- A patch is now available and should be promptly applied.
  
  “This vulnerability is mitigated if you have two-factor authentication implemented, which kind of sounds like a good idea anyway for a tool like this.”
  — Johannes B. Ullrich [02:30]

4. Android Patch Day – March

Timestamp: 02:51 – 03:40

Google released its March Android security updates.
- Two privilege escalation vulnerabilities (in Framework and Kernel) have already seen targeted exploitation.
- Multiple critical issues remain unexploited but could be weaponized soon.
- Urged immediate application of patches as soon as they become available.
  
  “As these updates become available for your particular phone, you probably do want to apply them rather quickly.” — Johannes B. Ullrich [03:22]

5. New PayPal ‘No-Code’ Checkout Phishing Scam

Timestamp: 03:41 – 04:40

Malwarebytes warns of sophisticated phishing leveraging PayPal’s no-code checkout feature:
- Attackers create custom pages on the PayPal.com domain. Instead of legitimate checkouts, pages mimic PayPal support or offer scam phone numbers.
- These pages are promoted via Google Ads, making them seem highly credible.
- Other similar services may also be vulnerable.
  
  “It’s using the paypal.com domain and then they are advertising these pages via Google Ads. This makes it really difficult for a victim to figure out that this is not a legitimate PayPal page... Everything is really hosted on PayPal’s website; it’s just that the attacker added their own text to that particular page.” — Johannes B. Ullrich [04:23]

6. Critical VMware vCenter Vulnerabilities

Timestamp: 04:41 – 05:25

Broadcom released urgent patches for VMware vCenter, fixing three vulnerabilities (CVSS up to 9.3), including a "VMware Escape" flaw:
- Allows malicious VMs to compromise the entire infrastructure.
- These are already being exploited in the wild.
- Immediate patching is mandatory.
- Exposing vCenter to the public internet is especially discouraged.
  
  “The worst outcome here is VMware Escape. So if an attacker is able to take over one of your virtual machines, they own your infrastructure.” — Johannes B. Ullrich [05:00]

Memorable Quotes

On the expanding file scan threat:
“Googling comes up with the Janssen project that is actually sort of a set of identity management components and part of their SMTP server configuration refers to these files.” — Johannes B. Ullrich [00:43]
On phishing innovation:
“I wouldn’t be surprised if other similar services aren’t vulnerable to this attack as well.” — Johannes B. Ullrich [04:37]
On urgency of VMware patching:
“You definitely must patch now. But then again, you probably shouldn’t expose vcenter to the world.” — Johannes B. Ullrich [05:15]

Summary of Action Items

Investigate scanning for leaked SMTP credential files — Particularly smtpToken.json and smtpkeys
Update mac-robber.py tool for improved forensic artifact collection
Patch ADSelfService Plus immediately; enable 2FA if not already in place
Apply the March Android security updates to all eligible devices ASAP
Be wary of PayPal checkout support scams — educate staff and users on identifying legitimate support channels
Immediately patch VMware vCenter deployments and avoid exposing them to the internet

Loading summary

Transcript1 lines

[00:01]
A
Hello and welcome to the Wednesday, March 5, 2025 edition of the sans Internet stormcenters stormcast. My name is Johannes Ulrich and today I'm recording from Baltimore, Maryland. Now in our first seen URL's list I noticed an interesting pattern where we had a host that is scanning routinely for the last month or so for leak credential files like your usual env files and such. They added some new files to their repertoire smtpToken, JSON and a second file that is smtpkeys. The problem with these files is that while they likely contain SMTP server credentials, it's not 100% sure what particular application these files are associated with, but Googling comes up with with the Janssen project that is actually sort of a set of identity management components and part of their SMTP server configuration refers to these files. Interesting. Also a little bit sort of side note that this particular system that is scanning for these files now is associated with a distillery in Romania. Haven't made contact with them yet, but I assume it's just another compromised system and it's going after various credential files for about a month now. And Jim today posted a second diary. This diary is just a quick notice that Jim updated his tool Macrobber py. This tool is sort of a reimplementation of the Macrobber tool that comes with Sleuthkit just in Python and the latest version that was actually released a couple weeks ago does fix some issues with following symlinks and I've got a couple of vulnerabilities to talk about. So let's start with Soho's Ad Self service. Plus, this tool is important well because the ad here doesn't stand for advertisements, but for Active Directory it allows users to manage their identity and apparently they didn't get their sessions quite right. So that allows Nethacker to gain information about enrolled users without authentication. This vulnerability is mitigated if you have two factor authentication implemented, which kind of sounds like a good idea anyway for a tool like this. And of course there is now a patch available fixing this session handling vulnerability and Google yesterday had its Android patch day for March. It's significant so far as two of the vulnerabilities being patch tier approach escalation vulnerabilities, one of them in Framework, one of them in the kernel, have already been exploited in some limited targeted attacks. As these updates become available for your particular phone, you probably do want to apply them rather quickly. There are also a number of not yet exploited critical vulnerabilities, but I'm sure that people are pretty much already working on trying to find exploits for them right now. And malwarebytes is warning off an interesting new phishing and scam technique to impersonate PayPal. PayPal offers to merchants the no code checkout option. What this really means is that PayPal basically will create a checkout page for you that you're able to heavily customize, but the page itself is hosted within the paypal.com domain. So what attackers are doing here is that they are signing up for these no code checkout pages. They're creating now a page that doesn't really look like a checkout page, but instead offers, for example, PayPal support, phone numbers and such. Because you pretty much can add whatever content you would like to this page, which of course is branded by PayPal. You can. It's using the paypal.com domain and then they are advertising these pages via Google Ads. This makes it really difficult for a victim to figure out that this is not a legitimate PayPal page because, well, everything is really hosted on PayPal's website. It's just that the attacker added their own text to that particular page. Interesting scam. And I wouldn't be surprised if other similar services aren't vulnerable to this attack as well. And Broadcom released updates for VMware VCenter, fixing three different vulnerabilities with CBSS scores up to 9.3. The worst outcome here is VMware Escape. So if an attacker is able to take over one of your virtual machines, they own your infrastructure. And these vulnerabilities, according to Broadcom, are already being exploited. So you definitely must patch now. But then again, you probably shouldn't expose vcenter to the world. Well, your virtual machine, on the other hand, you probably can't help but to expose some content of them. And then one virtual machine that's vulnerable would then be used in order to again take over your infrastructure. So this is a super critical vulnerability. Well, that's it for today. So thanks again for listening and thanks again for any feedback received for all the good reviews. And if you haven't gotten around to it yet, please check the five stars, check the like or whatever in your particular podcast platform and talk to you again tomorrow. Bye.