SANS Internet Storm Center Stormcast July 16, 2025: Key Cybersecurity Topics

In this July 16, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ary, recording from Washington DC, addresses several crucial cybersecurity topics.

The first topic discusses Alternate Data Streams (ADS) and their potential use for malicious activities. Johannes mentions a recently discovered Python script that implements a keylogger and stores data in an alternate data stream. This script not only collects keystroke data but also clipboard content, making data exfiltration easier. Although the script does not implement exfiltration, it highlights the importance of monitoring alternate data streams and hidden file attributes, which can serve as indicators of suspicious files. Johannes also provides a PowerShell script to identify and extract information from alternate data streams, facilitating the detection of potentially malicious files.

Another topic covered is a malvertising campaign targeting Mac users. This campaign tricks users into installing a malicious version of Homebrew, a popular package manager for macOS. Users, attempting to install Homebrew, are redirected to a malicious GitHub page that installs not only Homebrew but also additional malware. Johannes emphasizes the importance of vigilance when installing software and verifying download sources.

Johannes also discusses a recently patched vulnerability in Broadcom's Semantic Alarus inventory rule management system. This vulnerability, related to a known vulnerable .NET Remoting configuration, can be easily exploited with standard tools. Broadcom released a patch in June, and it is crucial to ensure systems are updated to prevent exposing port 4011 to the internet.

Finally, Johannes talks about attacks against developers, particularly a recent attack on a Russian cryptocurrency developer. This attack involved a malicious extension for Cursor AI, used to steal secrets and, consequently, cryptocurrencies worth $500,000. The extension, downloaded from Open DSX, was used to compromise the developer's cryptocurrency wallet. This attack highlights the risks associated with extensions and development tools, emphasizing the importance of verifying the authenticity and security of extensions before installing them.

In conclusion, this edition of the Stormcast highlights several current cybersecurity threats, including the use of alternate data streams, malvertising campaigns, software vulnerabilities, and attacks against developers. This information is crucial for cybersecurity professionals and end-users, underscoring the importance of vigilance and good security practices.