SANS Stormcast Friday, November 14th, 2025: SmartApeSG and ClickFix; Formbook Obfuscation Tricks; Sudo-rs Vulnerabilities; SANS Holiday Hack Challenge

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9700.mp3

previous

SmartApeSG and ClickFix; Formbook Obfuscation Tricks; Sudo-rs Vulnerabilities; SANS Holiday Hack Challenge

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, November 14th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operations. And today we do have two diaries I should
 talk about. First one is from Brad Duncan and he writes
 about the latest regarding the SmartApeSG campaign. This is
 a campaign that usually advertised itself via fake
 browser updates, but lately has jumped on the ClickFix
 bandwagon. And that has overall been sort of a huge
 thing where we see more and more of these fake captchas
 that are tricking victims into installing malicious software
 on their system. In this particular case, it starts out
 with a compromised web page. Inside that web page, the
 attacker will add some JavaScript to then redirect
 the user to the click fix exploit, which is in this
 case, as you see, sort of a cloud flare lookalike capture
 that then tricks the victim into installing or basically
 running a malicious PowerShell command. And that PowerShell
 command will install additional malicious software.
 As usual, Brad provides plenty of indicators of compromise
 here with his diary, including packet captures to see how the
 attack really unfolded and hopefully helps you detect
 some of these attacks in your own network. The second diary
 comes from Xavier. And Xavier gives us an update of the
 forum book of Malware. Another very popular piece of Malware
 that we haven't really talked much about lately. This
 particular example arrived in the form of an email
 attachment as a zip file. The user was then tricked into
 extracting the zip file and executing the Visual Basic
 script that was included with the zip file. Xavier, in this
 particular example, focuses on the obfuscation techniques
 being used here. One interesting tidbit is, for
 example, the avoidance of the sleep function, which is used
 to delay the malicious action of the command. That's often
 part of signatures, this sleep function, because it is often
 used for delaying the execution. But here, by
 putting, well, a wscript.sleep into a little loop, they
 basically get the same effect as a longer sleep function. It
 may trigger some signatures. Also, later, then, some
 additional PowerShell obfuscation, again, to evade
 signatures and some of the simple protection mechanisms
 against these types of malware. In the last few
 years, there has been a big push to replace CC++ with Rust
 when it comes to programming, in particular system
 components. This latest vulnerability illustrates some
 of the dangers behind it. Rust, of course, being a
 memory-safe language, it eliminates some of the memory
 allocation issues that you often run into in CC++, like
 buffer overflows. But, of course, there's more to
 security than memory management. This example here
 with Sudo RS, which is the Rust version of Sudo, is sort
 of an example here. Sudo, of course, has a rich history of
 vulnerabilities because of its complicated operating logic.
 And it's not so much the buffer overflows. I think it
 had some of them as well. But often the complexities of just
 managing these different permissions are an issue. And
 there are two interesting vulnerabilities that were
 patched in Sudo RS. And the first one is where the
 authenticating user is not properly recorded in a
 timestamp. So you may basically get different timing
 and sort of these reauthorization issues that
 you have with Sudo. The second one is, I think, really
 interesting. And this is sort of a password reveal.
 Essentially what happens here is if you type your password
 as you invoke Sudo, well, the password is not visible. But
 due to this vulnerability, if an attacker can disrupt you
 from entering the password before you hit enter, they can
 then basically trick the system to reveal the password.
 Interesting vulnerability. And that's exactly sort of some of
 these odd little logic issues that are often lost as you're
 translating from one language to another. So if you are
 currently undertaking sort of one of these big conversions,
 take a look at some of these vulnerabilities and see what
 problems others have run into in trying to do these CC++ to
 Rust conversions. Well, and I almost missed it. I didn't
 realize it's already November and time for the SANS Holiday
 Hack Challenge. So I have with me today Chris to talk a
 little bit about the challenge. I'd love to,
 Johannes. Yeah, this is, of course, the SANS gift to the
 community every holiday season. It's a game that we
 love building. We hope everybody loves to come and
 play and learn. And it's new every year. It's a new set of
 challenges. And this one especially is focused on micro
 challenges, especially at the beginning. We want people to
 begin, hop in, and be able to accomplish a few things right
 off the bat. And that's really a great learning opportunity.
 I played it last year. I haven't played yet this year.
 I haven't gotten around to it yet. So these micro challenges
 are kind of little small things that you can sort of,
 even as a beginner, solve? Or is that sort of a little bit
 the goal here? Yeah, absolutely. The first few are
 pretty straightforward. So just maybe the basics of
 networking, the very basics of firewalls. And you're just
 moving blocks around visually in a web page. So it's made
 for everybody. Bring your marketing person. Bring your
 manager, right? There's something for everyone, for
 sure. Yeah. And really, for people that could start in the
 industry, could start with cybersecurity, probably a
 great way to sort of have some fun here. I hear there are
 also prizes that you have for the challenge. There are
 indeed. Indeed. Yeah. So it's open and free all year long.
 But right now, during the competition period, so now
 through January 5th, if you submit one of the very best
 solutions to the holiday hack, then you could win access to
 SANS Skills Quest by NetWars. That's an online learning
 platform or even a free SANS course. Wow. That's quite
 substantial prizes there. But even if you don't win, I think
 you're still winning by just learning. Can you tell us a
 little bit sort of some of the challenges? Maybe give us a
 little bit of a preview of what to expect there? Or
 what's the storyline this year? Yeah. Yeah. So I love
 having a storyline. I love learning and playing. You
 know, whenever I'm working with people who are newer to
 cybersecurity, I always encourage them to go and play.
 And this is a great way to do that. So the storyline here,
 we've got some gnomes who are up to something and there's
 someone guiding them. Interestingly, I think for
 somebody who's been doing this for a while, it's a throwback
 to our game 10 years ago. So when I first played the
 holiday hack, it was in this neighborhood and we're back in
 that neighborhood. But now with 3D graphics and you can
 rotate your view with Q and E keys, it's kind of
 interesting. But challenges go from some of the basics of
 cybersecurity all up to some more complex challenges for
 the pros. So things in cloud, we have some LLM exploitation
 and even some post-quantum crypto. And those will take a
 little bit longer to do, right, than the intro
 challenges. But yeah, a little bit of everything for or
 something for everybody. Yeah. So that's really great. And I
 always love it how you really create sort of that video game
 experience. It's not just your normal hack channels. They
 sort of have that, you know, screen and the terminal kind
 of environment where you have to... Part of that is there
 too. But you really have to craft a user interface down
 too. And I always love the stories that you come up with.
 I think that makes it so much more entertaining, really. And
 also interactions between players. Is that also still
 part of it? Yes. Yeah. So believe it or not, not
 everybody likes the game world. And this year we've
 introduced CTF mode. So if you want to, you can start in the
 game and then switch it to CTF mode and just get the
 challenges. And that's fine. But I like you, Johannes. I
 like the story and the graphics and the music. We
 commission new music every year. What was the question?
 Well, actually, let's just talk about how do I get there?
 What's the URL that people need to know to get there?
 Yep. SANS.org slash holiday hack. And when you get there,
 there's a video from Ed Skoudis, our chief elf,
 describing all the changes this year. The new hint
 system, how to rotate your view in the 3D land and how to
 set up cohorts, all that kind of thing. I love the title,
 Chief Elf. Much better than SANS EDU President, kind of.
 Much better title. I love that. Yeah. So I'll definitely
 add the link to the show notes in case you didn't get that.
 But it's a great opportunity for everybody. Great gift to
 the community here. Any final words for our listeners? So
 your question before was about interaction. And yes,
 absolutely. The best way to interact is over Discord. So
 if you get stuck on anything, join the Discord and you'll
 probably get helped out by another player because it's a
 very active community. So come, have fun, and be social
 in a virtual kind of way. So I hope you'll check it out. And
 it's certainly nothing just for information security
 professionals. It's something for the whole family to really
 have fun with. And with that, thanks for listening. Thanks
 for liking and subscribing. And talk to you again on
 Monday. Bye. Bye. Thank you.