SANS Internet Storm Center Stormcast: June 9, 2025 Edition

In this June 9, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial topics in cybersecurity. First, he mentions an update to png_dump.py by DDA, a tool used to analyze PNG files. This update was motivated by the discovery of additional data added to the end of a PNG file, after the end marker. This modification allows for easier detection of unexpected data and saves it to a separate file, thus simplifying malware analysis. Another important point addressed is the significant compromise of the npm ecosystem, this time targeting React Native packages for Clue Stack. These packages, which provide user interface components, were compromised on June 6 and 7, introducing a backdoor into systems. This attack was detected by Iikido, who had already spotted a similar compromise in May. The attackers used whitespace to hide the malicious code, making its detection more difficult. Ullrich emphasizes the importance of vigilance when using npm and pip packages, as such compromises are frequent. Ullrich also discusses the Mirai botnet, which has found a new vulnerability to exploit in DVRs. Although this exploitation is more complex than previous ones, it should not have a significant impact other than increasing the number of Mirai bots and compromised DVRs. Kaspersky has provided a detailed report on this new exploitation. Finally, Ullrich talks about the Amos malware, which uses the ClickFix technique to trick users into running a command-line script to bypass a fake capture. This malware can detect whether the user is on a Mac or Windows and adapts its prompts accordingly. Once installed, it steals credentials and, on Mac, continues to ask for the system password until the user provides it. Ullrich also mentions a PowerShell script provided by Microsoft to recreate the inetpub folder, necessary to mitigate a recent vulnerability. This information is crucial for cybersecurity professionals, as it highlights the current techniques used by attackers and the measures to take for protection. Vigilance and the use of appropriate analysis tools are essential for detecting and countering these threats.