SANS Internet Storm Center Stormcast: May 5, 2025 Edition

In this May 5, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich speaks from San Diego, California. He begins by announcing the launch of a new steganography challenge by Didier, following several recent articles on the subject. Steganography is a technique for hiding messages within images, and Didier has developed Python scripts to help extract these hidden messages. The challenge features an image using a slightly different methodology, but existing tools should still work. Johannes mentions that he might offer stickers as a reward for submitted solutions. Next, Johannes addresses several news items related to Microsoft and passwords. Firstly, Microsoft is starting to offer passkeys by default when creating new accounts. This means users will no longer need traditional passwords, a decision that enhances security by replacing passwords with passkeys. However, this feature only works if using Microsoft Authenticator; for other authenticators, a password will still be required. Another news item concerns Microsoft Authenticator as a password manager. Starting in June, it will no longer be possible to add new passwords to Microsoft Authenticator, and this feature will disappear completely in July. Microsoft Edge, Microsoft's version of the Chromium browser, will take over as the password manager. While this simplifies password integration within the browser, it could complicate interoperability with other browsers, making the use of a standalone password management application even more relevant. Johannes also discusses a strange supply chain attack. This attack is considered strange because the backdoor components were included in certain packages as early as 2019 but were only activated recently. Several vendors are involved, but none have yet acknowledged the compromise, despite patches being available for the backdoor. The backdoor masquerades as an admin license required to run a plugin and allows files to be downloaded and executed on the server. Early versions of this backdoor required no authentication, but later versions use hardcoded keys that are now public. Johannes advises Magento users to check if they are using these malicious packages. In conclusion, Johannes invites listeners to meet him at San Security West in San Diego, where he will be teaching this week. He mentions that he still has stickers to give away and looks forward to meeting listeners.