New Video from @internetstormcenterstormca2350: Key Cybersecurity Topics

In this July 28, 2025 edition of the Sans Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, explores several key topics in cybersecurity. The first topic discussed is an interesting feature of Linux: namespaces. This feature allows each process to have its own view of the environment, which can be extremely useful for various security tasks.

Specifically, Ullrich discusses the use of network namespaces to disable the network capabilities of a specific process. For example, using the command "sudo unshare -net bash," one can obtain a bash shell without network capabilities. This technique is particularly useful for analyzing malware without allowing it to communicate externally. However, it is often necessary to allow some form of network communication for the malware to download additional stages. In this case, network namespaces allow traffic to be redirected to sinkholes where HTTP requests can be recorded and analyzed.

Ullrich emphasizes that Linux namespaces are not limited to networks; they can also be used for file systems and mounts. He notes that this feature is often underestimated even by experienced Linux administrators.

The second topic covered is Microsoft's UI automation. This API allows software to better interact with UI elements, such as reading the content of windows or interacting with buttons. While this feature is useful for GUI interaction scripts, it is also exploited by attackers. For example, malware can use this API to detect which software is running on the system and read the content of windows, such as those of browsers connected to online banking sites, to steal credentials.

Although this capability is not fundamentally new, it simplifies attacks. Ullrich recommends monitoring interactions with the UI automation core DLL to detect suspicious activities. Akamay provides specific queries to monitor these interactions, although users must adapt these queries to their own monitoring tools.

Finally, Ullrich introduces a tool called AutoSwagger, designed to analyze APIs using the OpenAPI or Swagger standard. This tool reads the machine-readable documentation of APIs to detect vulnerabilities, such as endpoints that might leak personal information without requiring authentication. Ullrich recommends this tool for developers and API testers.

In conclusion, this video offers valuable insights into often overlooked features of Linux and new threats related to Microsoft's UI automation. It also provides practical tools to enhance API security.