Internet Storm Center Stormcast: April 10, 2025 Edition on Cybersecurity
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this April 10, 2025 edition of the Internet Storm Center's Stormcast, Johannes Ullrich discusses several crucial topics in cybersecurity. The first point addressed concerns an exploitation of obfuscated Python. A simple script uses PowerShell to download additional Python, but what makes this script unique is the use of PyArmor to obfuscate the code. PyArmor is not necessarily malicious; it is often used to protect commercial Python scripts. However, this obfuscation makes analyzing the script difficult, especially in sandbox environments.
Xavier, an expert, breaks down the script line by line to reveal some behavioral analysis techniques. Another important topic is a vulnerability in Center Stack, a product by Clottet that allows exposing file shares like SMB via a simple web interface. This interface, written in .NET, uses view states that can be signed by the server with a machine key. The vulnerability lies in the fact that this machine key was not properly protected, allowing exploitations since March. A patch has been published to fix this flaw and generate a new machine key.
Google has also released updates for Android, fixing 62 vulnerabilities, two of which are related to USB. One allows access to confidential data, while the other, in the USB audio component, was used by Serbian police to access locked Android phones. It is crucial to update Android devices as soon as possible. Broadcom has also released updates for VMware Tanzu, fixing 47 vulnerabilities, 29 of which affect the backup and restore component. Many of these vulnerabilities allow remote code execution, highlighting the importance of these updates.
Another interesting point is the sudden appearance of an Inet Pub directory on Windows 11 systems after the latest update. This directory is generally used by IIS to serve files, but it seems safe to delete it if it is empty. Finally, a file spoofing vulnerability in WhatsApp has been fixed. This flaw allowed an attacker to send a file that appeared to be a harmless image but turned out to be an executable once saved. SANS has also released a new version of its critical guidelines for AI security, emphasizing the importance of protecting AI workflows in an ever-evolving field. For those interested, Johannes Ullrich will speak at an ISSA event in Jacksonville on Friday, repeating a presentation made for InfraGard. Links to the show notes and the event will be available for those who want to learn more.