Stormcast Episode Highlights New Cybersecurity Threats and Updates

In this May 7, 2025 edition of the Stormcast from Sans and Storm Center, Johannes Ullrich, recording from San Diego, California, addresses several critical topics in cybersecurity. The first topic discussed is a new type of malware, an "info stealer" written in Python. Although this malware appears ordinary at first glance, it has unique characteristics. It checks if it is running in a debugger, has anti-VDM features, steals information, and exfiltrates it via Telegram in encrypted files. It can also take screenshots. What sets it apart is the inclusion of a web server that emulates different login pages, such as Google's, via the loopback interface. This technique could be used to bypass blocklists often used to control access to phishing sites. However, this malware seems incomplete and lacks certificates for the web server, suggesting it might be part of a more comprehensive package intended for victims. Next, Johannes talks about Google's monthly update for Android, which includes a patch for a remote code execution vulnerability in the FreeType library. This vulnerability is already being exploited by loading a malicious TrueType font into the library. FreeType, a library commonly used in many open-source projects, has had several vulnerabilities in the past, making this new exploitation less surprising. It is advised to update to the latest versions of FreeType, which are not vulnerable to this flaw. Johannes also mentions a bulletin published by the CISA (Cybersecurity and Infrastructure Security Agency) titled "Unsophisticated Cyber Actors Targeting Operational Technology." This bulletin highlights the importance of focusing on less advanced but often more successful threats. Most attacks are simple and use well-known techniques, but they remain effective due to insufficient basic configurations. CISA reminds us of the importance of following basic security practices, such as not exposing unnecessary services and using strong passwords. Finally, Johannes discusses a "Canary proof of concept" exploit published by F5 for a vulnerability in Apache Parquet, an efficient compressed database for tabular data. This vulnerability, with a CVSS score of 10, allows arbitrary Java code execution by feeding Parquet with a malicious file. The Canary exploit reaches a specified URL when creating the exploit file, thus identifying vulnerable instances of Parquet in an environment. This exploit could also serve as a template for attackers, making it crucial to check and secure Parquet instances. In conclusion, this edition of the Stormcast emphasizes the importance of staying vigilant against new threats and maintaining basic security practices to protect systems against attacks, whether sophisticated or not.