SANS Internet Storm Center's Stormcast Highlights Advanced Malware Techniques and Critical Vulnerabilities

In the April 28, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, discusses several crucial cybersecurity topics. The first point concerns a malware technique using steganography to encode an executable within an image. This method adjusts the values of individual pixels to hide the binary, thereby bypassing network defenses. Johannes emphasizes that true steganography involves subtle adjustments to mask the presence of additional data, unlike directly adding data to an image. Another interesting point is the analysis of DDA, known for its Python scripts, which demonstrates how its tools can be used to analyze malware utilizing steganography. DDA's PNG dump tool decompresses PNG images to extract hidden binary data from the pixels. Johannes explains that each steganography tool uses slightly different techniques, requiring an adaptation of the analysis processes. It is also difficult to detect if an image contains additional data without knowing the original image. A critical security issue involves SAP's Netweaver, where a vulnerability in the Visual Composer, a tool deprecated for about 10 years but still enabled, allows the upload of arbitrary files without authentication. This flaw, with a CVSS score of 10, enables the upload of webshells to gain full system access. Although SAP has released a patch, there is disagreement over the active exploitation of this vulnerability. Several companies, including Reliquest and Onapsis, have reported exploitation attempts, highlighting the importance of disabling vulnerable components and treating unpatched systems as compromised. Finally, Johannes addresses the issue of false positives in MS Defender XDR, where confidential documents were mistakenly flagged as malicious and made public. He warns against uploading sensitive documents to free platforms like Virus Total, where documents can become public. It is crucial to ensure that documents do not contain critical information before submitting them to such analyses. In conclusion, this edition of the Stormcast sheds light on advanced malware techniques, critical vulnerabilities, and essential security practices. The information shared is crucial for cybersecurity professionals seeking to protect their systems against emerging threats.