SANS ISC Stormcast Feb 4th 2025: Crypto Scam; Mediatek and D-Link Patches; Microsoft ends VPN Service

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9308.mp3

previous

next

Crypto Scam; Mediatek and D-Link Patches; Microsoft ends VPN Service

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Tuesday, February 4th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich and today I'm recording from
 Jacksonville, Florida. The DA today wrote up a little
 problem that we actually keep having with this podcast
 whenever I post it to YouTube. And that's spam, but the spam
 is a little bit different in this case. The spam basically,
 as so often, says how nice the video is, but then states that
 they have a question that they have a crypto coin wallet and
 they would like to transfer the money out of that crypto
 coin wallet. And then they give you the seed phrase for
 the crypto coin wallet. Now, what surprised me when I saw
 these was why did they give me the seed phrase? The seed
 phrase is essentially the secret key that you should
 never leak for your wallet. The DA dove into this deeper
 and also found a couple other write-ups about this
 particular spam. What happens here is, first of all, the
 seed phrase is just a human, readable, easier to memorize
 way to express the secret key. So, yes, you can turn that
 into the secret key. The problem, however, in this case
 is that this wallet is protected with two secret
 keys. And the secret key they're giving you is not
 authorized to actually transfer money out of the
 wallet. So, what they're attempting here to do is for
 you to get greedy, attempt to transfer the money out. In
 order to transfer money out, you first have to deposit a
 little bit of cryptocurrency into the wallet in order to
 pay for the transaction fee. And that's what they're after.
 They wait for you to actually deposit the additional funds.
 And then you realize the transfer out actually doesn't
 work. The other thing that sort of made me a little bit
 surprised, confused, was that they always advertise the OKX
 wallet. Because they say that they're using the OKX wallet.
 And at first I thought, maybe they're trying to just
 advertise this particular wallet. It's a browser plugin
 and such. Nothing really wrong with this wallet. The problem,
 however, is that this wallet does not display to you that
 this particular wallet does require a different signature
 to actually send money out of the wallet. So, that way it's
 easier for a victim to fall for the scam if they're using
 this specific wallet. Of course, there may be other
 crypto coin wallets that have the same problem in not really
 providing all the nitty-gritty details about what access you
 have to the wallet with a specific key. Interesting
 scam. Sorry if you're running into some spam like this on
 the YouTube page. I try to be pretty good about deleting it.
 If you see anything I missed, please let me know. And then
 we got a number of actually two different vendors
 releasing updates for wireless access points, wireless
 routers. First one is MediaTek. A number of the
 vulnerabilities. They're addressing our buffer
 overflows in the VLAN module. The problem here is that this
 actually would allow arbitrary code execution on the device
 itself without authentication. This often happens and it's
 not really explained in detail what the exact problem is. But
 a very common problem here is that in the 8 to 11 standard,
 there are certain fields that have, according to standard, a
 maximum length that can be exceeded as you're actually
 sending the data. And it's likely an issue like this,
 which of course often may have already working exploit, even
 though it's not declared here, because these piece of
 software often derived from open source implementations
 that may have fixed this problem in the past. The other
 issue is D-Link. D-Link, there's a new vulnerability
 here. That's a remote code execution. Again,
 unauthenticated in some of their routers. Sadly, no
 patches as they are end of life. We're talking here about
 particularly the DSR-150, DSR -250 routers. They no longer
 receive firmware since last May. So definitely you must
 replace those devices. And Microsoft announced that they
 will discontinue the VPN service that was included in
 their Microsoft consumer security products. So if you
 rely on it, sadly, you will have to find a new provider.
 It works similar like Apple's private relay, so in
 particular for iOS, macOS device, you still have that
 available. Personally, I'm not a huge fan of many of these
 sort of over-advertising VPN providers. Be careful what you
 pick because essentially you're just creating another
 bottleneck for traffic interception if you are using
 a specific VPN provider. So trust in the provider should
 really be an important criteria as you are selecting
 one. And for many home users, actually, VPN isn't really all
 that necessary or useful. Maybe if you want to appear to
 be in a different country to bypass some movie restrictions
 or such. Well, that's it for today. Please let me know if
 you liked a story or if I missed a story or if I should
 not have covered a particular issue. Thanks for listening
 and talk to you again tomorrow. Bye.