Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday Mar 11th: Shellcode as UUIDs; Moxe Switch Vuln Updates; Opentext Vuln; Livewire Volt Vuln;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9358.mp3
Shellcode as UUIDs; Moxe Switch Vuln Updates; Opentext Vuln; Livewire Volt Vuln;
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Shellcode Encoded in UUIDs
Attackers are using UUIDs to encode Shellcode. The 128 Bit (or 16 Bytes) encoded in each UUID are converted to shell code to implement a cobalt strike beacon
https://isc.sans.edu/diary/Shellcode%20Encoded%20in%20UUIDs/31752
Moxa CVE-2024-12297 Expanded to PT Switches
Moxa in January first releast an update to address a fronted authorizaation logic disclosure vulnerability. It now updated the advisory and included the PT series switches as vulenrable.
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241408-cve-2024-12297-frontend-authorization-logic-disclosure-vulnerability-identified-in-pt-switches
Opentext Insufficently Protected Credentials
https://portal.microfocus.com/s/article/KM000037455?language=en_US
Livewire Volt API vulnerability
https://github.com/livewire/volt/security/advisories/GHSA-v69f-5jxm-hwvv
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, March 11, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, Xavier went out and went malware hunting again in one of his malware safaris. He came across another odd API calls. That's actually one of the tricks that Xavier often uses looking for odd API calls. The odd API call here was a Windows API call UUID from string A. So what it does is it takes UUID, Universal Unique Identifier. These are these long 128-bit identifiers and then it takes that string and converts it in its binary format. In this case, it was actually used to encode malware. So the malware was encoded in UUID strings, 16 bytes or 128 bits at a time. It was transmitted to the victim in this format and then decoded into its original binary form using this Windows API call. But the actual script was written in Python. Turned out to be a Cobalt Strike beacon. But overall, still important to know that yes, attackers can use these creative API calls to encode malware in various formats. And apparently, according to Xavier, the Lazarus group, the North Korean group often going after crypto coin, well, has been known to use this particular trick in the past. And we have a little bit interesting tricky vulnerability. I mainly want to cover it because it's a little bit confusing here. It's a vulnerability in Moxa switches. Moxa makes switches for factory environments. So a lot of them are used in ICS and OT networks. The problem here is that this particular vulnerability, which they call a front-end authorization logic disclosure vulnerability, that can be used to bypass authentication and gain admin access to the switch, well, it was originally disclosed and patched January 15th. But I saw yesterday actually this vulnerability come back. I saw a new bullet being issued. So I was wondering what was going on here. Well, the problem is that the scope expanded. The original disclosure just covered the EDS508A series switches. This new disclosure now covers the PT series switches. So pay attention here if you're running Moxa switches in your environment, that everything is up to date and patched. And users of Open Text Identity Manager Advanced Edition should be upgrading to version 4.9. The vulnerability that's being addressed here is allowing the exposure of insufficiently protected credentials. The impact of the vulnerability is that an authenticated user can escalate privileges, can get higher credentials for a more privileged account. This is usually not something that's considered sort of critical approach escalation. But in this case, because the product is an identity management system and is responsible for often protecting a large number of applications, certainly something that you should address quickly. Well, then for any fellow PHP developers out there, if you're using Livewire, which is often used in PHP to create good-looking frontends, well, then you may also be using Vault, which is an API to interface with Livewire. Vault had just patched remote code execution vulnerability. It does take advantage of some of the templates here being used that can be then used in order to inject a PHP code. The vulnerability description here on the Livewire GitHub is a little bit of a joke. It's a one-liner, malicious user -crafted request payloads could potentially lead to remote code execution within Vault components. Make sure you are updated to version 1.7 .0 or later. Well, this is it for today. So thanks again for listening. Thanks to everybody liking, subscribing, and also leaving good reviews for this podcast. And tomorrow, of course, don't forget, it's Patch Tuesday. Well, and talk to you again tomorrow. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 