Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday Mar 5th: SMTP Credential Hunt; mac-robber.py update; ADSelfService Plus Account Takeover; Android Patch Day; PayPal Scams; VMWare Escape Fix
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9350.mp3
SMTP Credential Hunt; mac-robber.py update; ADSelfService Plus Account Takeover; Android Patch Day; PayPal Scams; VMWare Escape Fix
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Romanian Distillery Scanning for SMTP Credentials
A particular attacker expanded the scope of their leaked credential file scans. In addition to the usual ".env" style files, it is not looking for specific SMTP related credential files.
https://isc.sans.edu/diary/Romanian%20Distillery%20Scanning%20for%20SMTP%20Credentials/31736
Tool Updates: mac-robber.py
This update of mac-robber.py fixes issues with symlinks.
https://isc.sans.edu/diary/Tool%20update%3A%20mac-robber.py/31738
CVE-2025-1723 – Account takeover vulnerability in ADSelfService Plus
CVE-2025-1723 describes a vulnerability caused by session mishandling in ADSelfService Plus that could allow unauthorized access to user enrollment data when MFA was not enabled for ADSelfService Plus login.
https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html
Android March Update
Google released an update for Android addressing two already exploited vulnerabilities and several critical issues.
https://source.android.com/docs/security/bulletin/2025-03-01
PayPal's no-code-checkout Abuse
Attackers are using PayPal's no-code-checkout feature is being abused by scammers to host PayPal tech support scam pages right within the PayPal.com domain.
https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers
Broadcom Fixes three VMWare VCenter Vulnerabilities
https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-advisories/vmsa-2025-0004
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, March 5th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Baltimore, Maryland. Now in our first seen URLs list, I noticed an interesting pattern where we had a host that is scanning routinely for the last month or so for leaked credential files like your usual .env files and such. They added some new files to their repertoire, smtp-token .json and a second file that is smtp-keys. The problem with these files is that, well, they likely contain SMTP server credentials. It's not quite sure what particular application these files are associated with, but Googling comes up with the Janssen project. That is actually sort of a set of identity management components and part of their SMTP server configuration refers to these files. Interesting, also a little bit sort of side note that this particular system that is scanning for these files now is associated with a distillery in Romania. Haven't made contact with them yet, but I assume it's just another compromised system and it's going after various credential files for about a month now. And Jim today posted a second diary. This diary is just a quick notice that Jim updated his tool MacRobber.py. This tool is sort of a re -implementation of the MacRobber tool that comes with SleuthKit just in Python. And the latest version that was actually released a couple of weeks ago does fix some issues with following Simlinks. Simlinks. I think we got a couple of vulnerabilities to talk about. So let's start with Zoho's Ad Self Service Plus. This tool is important. Well, because the ad here doesn't stand for advertisements, but for Active Directory, it allows users to manage their identity. And apparently they didn't get their sessions quite right. So that allows the attacker to gain information about enrolled users without authentication. This vulnerability is mitigated if you have two-factor authentication implemented, which kind of sounds like a good idea. Anyway, for a tool like this. And of course, there is now a patch available fixing this session handling vulnerability. And Google yesterday had its Android patch day for March. It's significant so far as two of the vulnerabilities being patched here, privilege escalation vulnerabilities, one of them in framework, one of them in the kernel, have already been exploited in some limited targeted attacks. As these updates become available for your particular phone, you probably do want to apply them rather quickly. There are also a number of not yet exploited critical vulnerabilities, but I'm sure that people are pretty much already working on trying to find exploits for them right now. And Mavirbytes is warning off an interesting new phishing and scam technique to impersonate PayPal. PayPal offers to merchants the no-code checkout option. What this really means is that PayPal basically will create a checkout page for you that you're able to heavily customize. But the page itself is hosted within the paypal .com domain. So what attackers are doing here is that they're signing up for these no-code checkout pages. They're creating now a page that doesn't really look like a checkout page, but instead offers, for example, PayPal support phone numbers and such. Because you pretty much can add whatever content you would like to this page, which of course is branded by PayPal. It's using the paypal .com domain. And then they are advertising these pages via Google Ads. This makes it really difficult for a victim to figure out that this is not a legitimate PayPal page. Because, well, everything is really hosted on PayPal's website. It's just that the attacker added their own text to that particular page. Interesting scam. And I wouldn't be surprised if other similar services aren't vulnerable to this attack as well. And Prodcom released updates for VMware vCenter, fixing three different vulnerabilities with CVSS scores up to 9.3. The worst outcome here is VMware Escape. So if an attacker is able to take over one of your virtual machines, they own your infrastructure. And these vulnerabilities, according to Prodcom, are already being exploited. So you definitely must patch now. But then again, you probably shouldn't expose vCenter to the world. Well, your virtual machine, on the other hand, you probably can't help but to expose some content of them. And then one virtual machine that's vulnerable would then be used in order to, again, take over your infrastructure. So this is a super critical vulnerability. Well, that's it for today. So thanks again for listening. And thanks again for any feedback received for all the good reviews. And if you haven't gotten around to it yet, please check the five stars. Check the like or whatever in your particular podcast platform. And talk to you again tomorrow. Bye. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 