SANS ISC Stormcast Feb 3rd 2025: Automating Cyber Ranges; Deepseek Scams; PyPi Archived State; Medical Backdoors

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9306.mp3

previous

next

Automating Cyber Ranges; Deepseek Scams; PyPi Archived State; Medical Backdoors

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Monday, February 3rd, 2025
 edition of the SANS and Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. If you have ever built a homelab, a cyber
 range, or maybe a little malware analysis system, aside
 from setting up the basic systems around it, installing
 operating systems and the like, one of the challenges
 sometimes is to adapt the particular lab to a specific
 task, like setting up domains, IP address and the like, to
 kind of simulate a little internet, for example, to act
 as command control servers for any malware that you're
 detonating inside the lab. Well, Richard set up a number
 of PowerShell scripts to accomplish some of that. He
 will write a few diaries about this. The first that he just
 published deals with DNS settings, how to configure
 host names and the like in this lab. It's a PowerShell
 script, so for everybody here who likes to set this up in
 Windows, perfectly suited also to set up Active Directory and
 the like to match whatever environment you would like to
 emulate. Real neat little tool, so take a look at it and
 provide any feedback to Richard. And there is still
 quite a bit of talk about security issues around
 DeepSeek. I mentioned last week how some of their backend
 databases leaked. Of course, one of the problems they're
 struggling with is dealing with the increased surge in
 traffic that they are receiving. They allege that
 there may also be some denial of service attack involved.
 Now, as a result, they apparently have sort of
 reworked their infrastructure a little bit. That led to some
 issues, at least over the weekend, I noticed, where they
 had a bad certificate. The reason the certificate was
 marked as bad was it was actually issued by Huawei
 Cloud. I'm not sure if in China that's considered a
 trusted certificate, but at least my browsers in the
 common certificate authority database does not include this
 particular certificate authority. Since then, this
 has been fixed. It's now actually hosted behind
 Cloudflare and appears to be using a certificate issued by
 Google, at least when I'm connecting to it here from the
 US. Now, all of this confusion and limited availability has
 also opened the door somewhat for scammers. There have been
 apparently a number of scam lookalike websites and such,
 essentially phishing that was used to distribute malware.
 The trick that these websites are implementing is that they
 use a lookalike website of DeepSeek. So, the site looks
 pretty much like DeepSeek with one important difference. On
 the real DeepSeek.com website, well, to actually get started
 playing with the AI model, you click on Start Now. That part
 is replaced on the fake website with a download
 option. And, of course, that then leads you to malware.
 However, as always, if something hits the news big
 like this, in particular if they're struggling with
 keeping the site up, that's always something that
 attackers are paying attention to and definitely something
 that you need to be ready for and also something probably to
 share with your users that want to play with tools like
 this. And PyPyPy announced that they're introducing a new
 project state for developers. Developers are now able to
 mark a project as archived. The meaning behind archived is
 just that, well, the project is no longer being maintained.
 There are no longer any updates to be expected for
 this project. As is, the project can, of course, still
 be used, but people should probably migrate to something
 else. Developers are encouraged before they archive
 a project to release a final release. That explains a
 little bit why the project is being archived, maybe what to
 do next if you don't want to use this particular library.
 But overall, it looks like a nice step in the right
 direction. They're working sort of on more of these
 states of projects that developers are able to use to
 indicate essentially what's the exact sort of support
 status of a particular project. And the FDA, as well
 as CISA, warned about an interesting backdoor in the
 Contec Health CMS 8000 patient monitor. I was a
 little bit wondering whether or not I should include this
 story because it's a fairly limited audience here that,
 you know, basically hospitals and such that may be running
 this particular patient monitor. But I think this
 event has a bit sort of further reaching implications.
 One of the things I do want you to consider is to read
 through the indicators of compromise here, particular
 methods being used to implement that backdoor, and
 then think about how you would detect a similar backdoor in a
 device on your network, whether it's a medical device
 or any other kind of device, and what kind of capabilities
 you have to essentially do a fingerprinting of a device to
 figure out what particular connections are normal for
 this device and which connections may raise concern.
 In this particular case, the connection actually went to
 China, which I think did substantially contribute to
 the detection of the backdoor. In many cases may not be the
 case where just a US-based cloud provider is being used
 here in order to implement a backdoor like this. So try to
 figure out, do you know what IP addresses your devices
 routinely connect to? Well, and this is it for today. So
 thanks for listening and talk to you again tomorrow. Bye.
 Bye.