SANS Stormcast: Webshells; Undocumented ESP32 Commands; Camera Used For Ransomware Distribution

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9356.mp3

previous

next

Webshells; Undocumented ESP32 Commands; Camera Used For Ransomware Distribution

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Monday, March 10th, 2025
 edition of the Sands and Storm Center's Stormcast. My name is
 Johannes Ullrich and today I'm recording from Jacksonville,
 Florida. In diaries this weekend, well, just a quick
 little diary about web shells. Web shells certainly still a
 thing that actually came up as a question in class last week.
 Yes, we do still see quite a bit of web shells. Now, many
 of these web shells use kind of random names, but there are
 a couple that stick out for being probed quite a bit. So
 probably want to check your web servers if these files are
 present. But what you really need to do is nail down your
 production lifecycle of your web applications so you
 actually know what files are supposed to be on your web
 server. And that makes it a lot easier to figure out,
 well, if something got added. These web shells are typically
 being added either via file upload vulnerabilities. That's
 sort of a more straightforward way. Or what's also happening
 quite a bit is that they're being uploaded using command
 injection vulnerabilities, where essentially the attacker
 is just executing a wget, the curl command or something like
 this, in order to download the web shell to the system. Well,
 and this weekend at RootedCon in Madrid, researchers from
 TorLogic did present about some undocumented commands in
 the very popular ESP32 chipset. ESP32 is made by
 Expressif, and it's a system -on-a-chip, so it has a CPU,
 but also does have Wi-Fi and Bluetooth interfaces. And,
 well, it's extremely cheap, like you can buy them on eBay
 or Amazon for a couple dollars retail. These chipsets show up
 in millions and millions of IoT devices, so any problem
 with these chipsets is certainly concerning. The
 problem that TorLogic found was that there are a number of
 commands that can be sent over Bluetooth that enable some
 hidden functionality, some of this functionality with
 significant security impact, like, for example, the ability
 to read memory. Anyway, undocumented features in CPUs
 is nothing new. This has happened to pretty much any
 CPU manufacturer. Often they are just not well documented.
 Sometimes these features weren't meant yet to be ready,
 but they work well enough for people to still use them. So
 don't really know exactly what happened here. ESP32, the
 platform, had similar issues in the past. For example, for
 the Wi-Fi interface, there was sort of a hidden way to set it
 into promiscuous mode that then, of course, was used by
 many sort of cheap wireless sniffing tools and such that
 people built around these chipsets. The paper is
 interesting. I haven't read all the details yet, looked a
 little bit at the presentation, but it's in
 Spanish. The press release also points out that the point
 of the presentation is not so much releasing, well, that
 there are these ESP32 hidden commands, but really more
 about releasing a tool set that was used to actually find
 these hidden commands to make it easier for pretty much
 anybody to do a security audit of these and other similar
 chipsets, because that's certainly something that we
 see more and more of in the IoT space and also industrial
 control systems and the like. But you have these fairly
 small and cheap systems on a chip that are implementing
 various wireless interfaces. And of course, Bluetooth has
 always been a little bit more difficult to access to sort of
 your average user, given some of the constraints around how
 Bluetooth is defined. And then a little bit of warning that,
 well, fake news can also affect security news. Earlier
 today, someone sent me a link to a LinkedIn post by a very
 well-respected security researcher. This post claimed
 that, well, RSA is dead and can easily be decrypted. The
 problem is that I very much so believe that this particular
 post was really just meant as a joke. If you know enough
 about RSA, you probably realize it's a joke, but,
 well, not many people really do know that much about RSA
 and then amplified that message. So if you're seeing a
 LinkedIn message like that or on other social media, be
 aware it, in my opinion, is really just a joke that maybe
 went a little bit too far. Now we have an interesting case
 study from security consulting company S-RM. They discovered a
 malware that spread on an enterprise network via
 webcams. Now, webcams are often associated with attacks
 against home networks, but, of course, enterprise networks
 have them as well, either for security, for video
 conferencing and various systems like that. This is,
 again, an IP-connected standalone camera, so not one
 that was connected via USB to a particular computer. But
 what apparently happened here is that after initially
 breaching the network, the attacker did sort of gain a
 foothold on that camera and then used it to essentially
 pivot across the network and attack various other systems
 using SMB file shares. I think this is something, a good
 lesson here, in part because over the last few years, a lot
 of focus has gone towards endpoint detection response or
 EDR. Well, please don't forget the network here because
 devices like this are usually not well covered when it comes
 to EDR. Well, and this is it for today. So thanks for
 listening and talk to you again tomorrow. Bye.