SANS Stormcast Thursday, October 16th, 2025: Clipboard Image Stealer; F5 Compromise; Adobe Updates; SAP Patchday

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9658.mp3

previous

Clipboard Image Stealer; F5 Compromise; Adobe Updates; SAP Patchday

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, October 16th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in Applied
 Cybersecurity. Xavier today explains an infostealer
 written in Python and how it deals with clipboard content.
 One of the standard features of infostealers is stealing
 data from the clipboard, often focusing on things like
 passwords that may be copy-pasted or maybe crypto coin
 addresses that are also often copy-pasted because who wants
 to type in a long random string like this. Some
 infostealers actually automatically recognize some
 of these string patterns as they're being copy-pasted to
 be more selective when it comes to actually exfiltrating
 the data. But not everything on the clipboard is text. You
 can also copy-paste images and that's what Xavier's malware
 is focusing on here. In this example, the Python script
 actually looks also for images that may be transferred via
 the clipboard and then exfiltrates them via telegram.
 Another very common command control channel for
 infostealers like this. And then we got some bad news for
 people using products made by F5. F5 today disclosed that
 they were breached. They claim an unspecified nation state
 actor for the breach and the breach apparently did last
 quite some extended time, like at least months. As part of
 the breach, source code was stolen from F5 and probably
 most importantly also information about unpatched
 vulnerabilities was stolen. And that of course is
 something that affects users of their products. Remember
 their products include products like for example
 their Big IP series but also NGINX is being maintained by
 F5. So if you're using any F5 products like this definitely
 pay attention. And paying attention here also means that
 F5 did today release a number of patches. And these patches
 are believed to be related to the patches or the
 vulnerabilities disclosed to the attacker during the
 incident. So that's definitely something that you do want to
 apply pretty quickly. They made that part of their
 quarterly security notification. Now the reason
 this is a part of the quarterly security
 notification here is in part because these vulnerabilities
 or actually the incident, F5 was aware of it for a while,
 but apparently based on guidance from the Department
 of Justice did somewhat delay the public release. On the
 other hand, there wouldn't have been probably too much
 that you could have done before having these patches
 available anyway. This may have been a little bit their
 calculus here. The vulnerabilities themselves are
 not terribly severe. The most severe one here is this SAP
 and SFTP vulnerability. It does allow for object code
 execution, but you must already have an elevated
 account in order to do this. So not just any account will
 work for this. And it really just helps an attacker to
 break out of the appliance mode in this particular case.
 The other vulnerabilities are similar in scope. There are
 some denial of service vulnerabilities, also some
 other remote code execution vulnerabilities, but also that
 require already some kind of elevated account. So there are
 really more privileged escalation of vulnerabilities
 at this point because those accounts are already able to
 execute some commands. If you're in the right place. The
 other ones are not going to see that. A couple of days ago
 also, and this may have been a kind of foreshadowing at this
 event, F5 did rotate their signing certificates and keys.
 This could actually be the biggest problem here. If the
 signing certificate key with a private key material here was
 lost, it wouldn't able an attacker to of course now sign
 software as F5. And if they were already in F5's
 environment for a couple of months and had access to that
 material for a couple of months, well, that could have
 happened sometime in the past. So this is definitely
 something to be aware of and make sure that you don't trust
 those now revoked certificates anymore. But we all know key
 revocation, certificate revocation can be a little bit
 tricky kind of to enforce across a large infrastructure
 like this. So definitely something that you may have to
 manually intervene here. So this affects first of all F5
 customers, but again, NGINX is part of the F5 ecosystem. And
 in particular, the software being signed with F5
 certificates. Well, that could also trip up some system
 administrator that's not normally an F5 customer as
 they, for example, download some related software. And
 then a little bit patched you stay clean up. We did
 yesterday get patches from Adobe. Twelve different
 products were updated from Adobe. Not sure if that's
 everything. I actually don't see Adobe Acrobat or a PDF
 viewer here. So that product, which is one that I usually
 watch, is not being patched this time. We do have updates
 for the Adobe Commerce solution. Nothing super
 critical as far as I can tell here. There's a approach
 escalation, a security feature bypass vulnerability. The
 arbitrary code execution vulnerability only got a CVSS
 score of 4.8. So probably nothing to worry about too
 much. And then we also have Adobe Experience Manager.
 That's a product where I think I've seen some exploits
 recently for. So that's why I mentioned this here. Mostly
 cross-site scripting vulnerabilities. And that, of
 course, always depends exactly where the particular cross
 -site scripting vulnerability appears to see how it could
 possibly be exploited. So apply your patches, but I
 don't see anything sort of out of the ordinary here. And SAP
 released its October patches. And with that fixed a number
 of critical vulnerabilities, most notably two insecure
 deserialization vulnerabilities in SAP Netweaver. There are a
 couple different components affected by essentially of the
 same type of vulnerability. Onapsis has a good write-up
 about it. And I'll link to them as well as to the SAP
 announcement about these updates. They now introduced a
 special filter function to hopefully help with some of
 these deserialization vulnerabilities. It's typical
 for these type of products. We had similar issues also with
 the corresponding Oracle products like WebLogic and
 such, where they are exposed to a wide range of objects
 that they typically can't easily filter. Because they
 have to work with all kinds of different software written by
 others. And that's probably why SAP is trying to introduce
 this filter module. The WebLogic solution was more
 sort of a block list, which of course they always sort of
 amend and depend to as new gadgets are being found to
 exploit these deserialization vulnerabilities. Well, that's
 it for today. Thanks for listening. Thanks for liking
 and thanks for subscribing to this podcast. You may have
 also received some email about us changing Slack channels. A
 little bit more about that tomorrow, but that's it for
 now. So thanks and talk to you again tomorrow. Bye.