SANS Internet Storm Center Stormcast: May 20, 2025 Edition on Cybersecurity

In the May 20, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial topics in cybersecurity. The first point addressed is the analysis of a remote access tool by Kavi. This tool starts with scripts written in AutoIT, a language designed to deploy configurations and manage machines remotely. AutoIT scripts can be compiled into standalone executables, meaning the victim does not need to have AutoIT pre-installed. Although not new, this technique is often overlooked. The scripts allow for simple persistence by adding themselves as a startup item and then connect to a remote control server, which fortunately is no longer accessible. From a defensive standpoint, Johannes emphasizes that it is not necessary to completely block AutoIT unless it is not used in your environment. He stresses the importance of not allowing users to download and run random executables. Next, Johannes revisits the recent incident involving RVTools, a set of VMware analysis tools. He confirms that the RVTools website was compromised, leading to the distribution of a malicious version of the tool. The site is currently shut down. Another similar incident involves KeePass, an open-source password manager. Researchers from WithSecure Labs discovered that the KeePass source code was recompiled with malicious additions, including InfoStealers and a Cobalt Strike Beacon. This incident, which began around mid-2024, is an SEO (Search Engine Optimization) type attack where the KeePass site was not compromised, but malicious versions were distributed via third-party sites. The certificate used to sign the malicious binary came from an unrelated company, indicating that the attack did not compromise KeePass's infrastructure. Johannes warns against downloading software, especially password managers, from untrusted sources. He emphasizes that such attacks can target any software, but password managers are prime targets due to the sensitivity of the information they contain. Finally, Johannes talks about a UV printer from Pro Colorette, called Proumer, whose supplied software contained several viruses. This discovery was made by a blogger on hackster.io, who noticed that initial downloads of the software were blocked by Microsoft Defender and built-in browser protections. Subsequent analysis confirmed the presence of malware, and it took time to get a response from the provider. Johannes advises paying attention to antivirus warnings and checking downloaded files, even if it sometimes results in false positives. In conclusion, this edition of the Stormcast highlights several recent cybersecurity incidents and offers practical advice on protecting against such threats.