New Episode of Sans Internet Storm Center Stormcast Highlights Cybersecurity Concerns

In this episode of the Sans Internet Storm Center Stormcast dated Tuesday, December 9, 2025, Johannes Ullrich discusses several hot topics in cybersecurity, blending technical depth with accessibility. One of the central points of this edition is the analysis of a low-cost device called Nano KVM, a tool that allows remote access to a computer's keyboard, screen, and mouse via an IP connection. Although useful for situations like power outages or remote management, this product raises serious security concerns.

The Nano KVM is marketed as an economical solution, but its lack of robust protection is alarming. Several vulnerabilities have been identified, including issues with password hashing and encryption, as well as an SSH server enabled by default with a predefined password. Security researchers have struggled to convince the manufacturer to fix these flaws, leaving users exposed to intrusion risks. Recently, a critical vulnerability was discovered in the firmware update process: the mechanism for updating a binary blob (a proprietary component) is completely unsecured, opening the door to malicious updates. In other words, an attacker could inject compromised firmware to take control of the device.

Another troubling detail is the presence of a microphone on the Nano KVM motherboard, with no apparent justification. Although the manufacturer claims that this microphone is inherited from another product (a single board computer using the same motherboard), its inclusion in a device designed for remote access raises questions about potential espionage intentions. Fortunately, it is possible to remove this microphone, although the operation is delicate due to its tiny size. For those who do not trust the original firmware, an open-source alternative is in development, based on standard Linux distributions. However, this solution has not yet been thoroughly tested to evaluate its reliability and performance compared to the official firmware. Johannes emphasizes a crucial point: these devices should never be exposed directly to the Internet, as they would become easy targets for cybercriminals.

Next, the episode discusses a new phishing technique called Ghost Frame, detected by Barracuda. This phishing kit uses iframes (embedded frames within a web page) to bypass detection mechanisms. The principle is simple but effective: the malicious email or web page appears harmless because it does not directly contain the fraudulent login form. This form is loaded dynamically via an iframe, allowing it to evade anti-phishing filters. Additionally, attackers use unique subdomains for each victim, encoding specific information in the URL to personalize the attack. This method is reminiscent of some sophisticated phishing campaigns where the target company's logo is automatically displayed based on the URL parameters, making the scam more credible.

Finally, Johannes mentions an important update for WatchGuard's Firebox appliances, fixing ten vulnerabilities, five of which are classified as high. None are critical, but some deserve particular attention. For example, a memory corruption vulnerability in the IKE daemon (used for IPsec connections) could allow an unauthenticated attacker to cause a denial of service, depending on specific configurations. Another vulnerability, related to an XPath flaw, could lead to leaks of internal configuration and does not require authentication to be exploited. Although the immediate risks seem limited, Johannes strongly recommends applying these patches quickly, as more ingenious attackers could exploit these vulnerabilities in more damaging ways.

In summary, this episode highlights the dangers of cheap connected devices, the evasion techniques used by cybercriminals, and the importance of security updates. Whether for individuals or businesses, these insights underscore the need for vigilance and caution in an increasingly hostile digital landscape. For those wishing to delve deeper into these topics, the episode concludes with an invitation to leave a review on the Apple Podcasts app to support the dissemination of these valuable analyses.