Podcast Detail

SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9408.mp3

previous
next
Podcast Logo
xorsearch Update; Short Lived Certificates; New USB Malware
00:00

xorsearch Update
Diedier updated his "xorsearch" tool. It is now a python script, not a compiled binary, and supports Yara signatures. With Yara support also comes support for regular expressions.
https://isc.sans.edu/diary/xorsearch.py%3A%20Searching%20With%20Regexes/31854

Shorter Lived Certificates
The CA/Brower Forum passed an update to reduce the maximum livetime of
certificates. The reduction will be implemented over the next four years. EFF also released an update to certbot introducing profiles that can be used to request shorter lived certificates.
https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI

New Malware Harvesting Data from USB drives and infecting them.
Kaspersky is reporting that they identified new malware that not only harvests data from USB drives, but also spread via USB drives by replacing existing documents with malicious files.
https://securelist.com/goffee-apt-new-attacks/116139/

Podcast Transcript

 Hello and welcome to the Tuesday, April 15th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Orlando, Florida. Well, I think it was only a week ago
 that Diddy promised to expand his tool xorsearch with the
 ability to actually search for regular expressions. This
 promise has now been fulfilled. Actually, there's
 more to it. The original xorsearch was a compiled
 executable. The new one is now a Python script, typical for
 Diddy, of course. And with that comes the ability to not
 just specify regular expressions, but actually Yara
 rules that you can use to search the result file for
 various strings. And Yara supports regular expressions.
 So with that also comes regular expression support.
 Pretty neat update to the tool. Let Didier know if you
 like it. And of course, there are plenty of examples how to
 use the tool, what the different output formats are
 for the strings that you are finding in Didier's diary
 today. And we have more news for users of TLS certificates.
 The Certificate Authority Browser Forum finally
 finalized their decision on shortening certificate
 lifetimes. First of all, it'll start with reducing the
 certificate lifetime to 200 days. That'll start on March
 15th next year. Next, we'll have again March 15th, 2027.
 It'll go down 200 days. And finally, March 15th, 2029.
 It'll go down all the way to 47 days. In order to support
 that, of course, you will need better automation. Certbot or
 the Electronic Frontier Foundation actually also just
 released Certbot 4.0, which also is supporting shorter
 certificate lifetimes. What they introduce now is
 profiles. And the way this works is currently you do have
 the option to use the standard profile, which is basically
 the way it already works with 90-day certificate lifetimes
 via Let's Encrypt. And then you also have more short-timed
 certificates that are going down to six days. So the way
 you select this is after you install Certbot 4.0 is that
 you basically specify which profile you would like to use.
 And then you get either the longer 90-day certificates or
 the shorter six-day certificates. The default will
 remain 90 days for Certbot. And of course, most users will
 continue to use whatever Certbot version that comes
 with your operating system, with your Unix distribution.
 And that is usually an older one. I just checked the recent
 Ubuntu version actually uses Certbot 2.7. And Kaspersky has
 a write-up about some new malware that they discovered
 they attribute to a threat actor that they're calling
 GOFFEE. Given Kaspersky's line of business, this particular
 malware was found to target organizations in Russia.
 What's sort of interesting here is not the initial
 infection vector. That's pretty straightforward and
 kind of old stuff. It's a malicious PDF document or Word
 document that then activates a downloader. And after it's
 finished doing so, it will actually unload a benign
 document in order to fool the user into believing that they
 opened the document they believed to want to have
 opened. What's interesting about it is how it's targeting
 removable devices. It not only copies files from removable
 devices inserted into an infected system, but it will
 then also attempt to copy itself to the removable
 device. And the way it sort of tricks a victim into executing
 the malware is by essentially replacing an existing document
 on the removable device with the malware. And then just
 basically renaming the original document. Once the
 malware is started, the device then is restored and the
 original document flipped back and opened. So again, the user
 doesn't necessarily see anything wrong here. They
 thought they opened the document that they had on the
 device before. And well, that document appears to open. What
 they don't notice is that the malware is also being
 executed. Interesting trick here. And definitely there
 seems to be a little bit of a resurgence in USB devices
 spreading malware. There have also been some other sort of
 nation state style attacks that I've seen reports about
 lately. Where basically just USB sticks were dropped
 outside of government buildings. Well, and this is
 it for today. So if you like this podcast, please, of
 course, subscribe and recommend it to others. And
 well, if you're here in Orlando, say hi. And like I
 said, I do have some stickers still left with me. Bye.