0:00

Hello and welcome to the Thursday

0:02

May Second Two Thousand Twenty Four

0:04

edition of this Sansom at Stomps

0:07

On It's Storm cast my name's

0:09

Your Harness Already and Ram recording

0:11

from Jacksonville, Florida. Geek

0:13

a little binary that pass have

0:16

been pestering a his honey pot.

0:18

The and will it was uploaded

0:20

via the Calorie Party honey Pot

0:22

which simulates a. Open. Tell

0:24

lead and as each server. Sort.

0:27

Of run of the mill. Adidas Ancient,

0:29

interesting, kind of fed that

0:31

the good just uploaded it

0:33

to the assembly line as

0:35

sandbox in order to extract

0:37

some indicates of compromise. You

0:39

have to be really careful

0:41

here with the in because

0:43

of compromise because the once

0:45

extracted here are definitely not

0:47

a militias sites. For example,

0:49

as often Eight Eight Eight

0:51

Eight, the Google Dns server

0:53

is one of the Ip

0:55

addresses this melbourne connects to

0:57

in order. To check internet connectivity

1:00

it also apparently is a down

1:02

or like back reports here for

1:04

a lip see also a very

1:07

common public euro like be just

1:09

as a connectivity check Saw a

1:11

don't just blindly use these indicators

1:13

of compromise the are often just

1:16

to spite us Melbourne as a

1:18

connectivity check and they're using benign

1:20

well connected to and there won't

1:23

be easy websites that are often

1:25

up and opensaf also interesting here

1:27

and other public. Dns Server: They're

1:29

using a Hundred and Fourteen Hundred and

1:32

Fourteen Hundred Fourteen Hundred and Fourteen So

1:34

four times, Hundred and fourteen A that

1:36

appears to be operated by a Chinese

1:39

company of works well for me here

1:41

even though it does not look to

1:43

be any cast the this Ip address

1:45

calling to trace route and does actually

1:48

appear to connect a to a china

1:50

maybe author of the malware is using

1:52

this in case eight, eight, eight eight

1:55

or so it's not reachable and of

1:57

course that may happen. inside china

2:02

And Maciej Párquez, a

2:04

researcher from Poland,

2:06

did write a blog post with

2:09

some of the risks of Amazon's

2:12

S3 billing. This is sometimes

2:14

called a denial of wallet

2:17

attacks, some is also denial of wallet

2:19

amplification attack. Nothing fundamentally

2:22

new has been discussed before.

2:24

For example, in February, there

2:26

was an article by Ben

2:28

Liefeld discussing a similar

2:30

issue. There are a

2:32

couple of problems with AWS S3

2:35

billing. One is that

2:37

you're being billed for requests

2:40

that fail. So in the example

2:42

that Maciej here discussed, in this

2:44

case it was just put requests

2:47

to an S3 bucket that failed.

2:50

There were hundreds of thousands

2:52

of them which then quickly

2:55

accumulated thousands of dollars in

2:57

S3 charges. The

3:00

other problem that sometimes shows up here is

3:02

range requests. Someone

3:05

is requesting a partial file

3:07

from your server. You

3:09

may still be billed for the

3:11

entire file, even if only a

3:13

small part of the file was

3:15

actually requested. And worse, an attacker

3:17

can then just disrupt, because you

3:19

stop the transfer and you'll

3:22

still be billed, which of course then

3:24

enables an attacker to send

3:26

multiple new requests. And that's

3:28

sort of your classic kind

3:30

of amplification attack, which is

3:32

sort of where that denial

3:34

of wallet amplification attack term

3:36

comes from. Not really

3:38

much you can do about this

3:40

other than try to hide the

3:42

name of your S3 bucket, which

3:44

of course may or may not

3:46

work, depending on your application. And

3:50

apparently the implementation of the

3:52

alternative app stores in Europe

3:54

is causing a little bit

3:56

of a privacy issue here

3:58

for iOS users. users in

4:00

Europe. The problem is that

4:06

websites are able to embed a button that will link

4:08

to the respective alternative app store. Now

4:11

in order to avoid some accidental

4:14

redirects there is a user interaction

4:16

required that's why it's implemented as

4:18

a button so user has to

4:20

interact with the button. Of course

4:23

a malicious developer could always

4:25

make this button look like something

4:27

else that you may be willing

4:30

to click on. But the

4:32

problem here is not necessarily just that

4:34

you may then be tricked into downloading

4:36

some malicious software it's that

4:38

whenever you click the button you will

4:41

actually transmit a unique

4:44

authentication token. That token

4:46

is derived for each

4:49

device uniquely.

4:51

It's also uniquely to a particular

4:53

app store but what could happen

4:56

now is that if

4:58

various websites collude like they

5:00

all put the same ad

5:02

on their website this

5:05

button could then be used to basically

5:07

link different visitors together to

5:10

be the same device if

5:12

all these buttons are originating from the

5:14

same app store and doesn't even look

5:16

like actually need a full functioning app

5:19

store you just need to collect the

5:21

URL and the data that's being submitted whenever

5:24

you click that button. Overall really

5:27

well just yet another way how

5:30

advertisers may be able to

5:32

track users. And

5:35

then as the AI

5:37

vulnerability of the day

5:39

there is a critical

5:41

vulnerability in BentoML allowing

5:43

for code execution so

5:46

double check if you're using BentoML to

5:48

better understand what the risks are and

5:51

how to protect yourself. Pro

5:53

of concept code has already

5:55

been published for this vulnerability.

6:00

it for today and

6:03

sorry for publishing yesterday's podcast a

6:05

little bit late. We may actually

6:07

it up in some platforms with

6:10

Thursday May 2nd podcast as a

6:13

result so sorry for the confusion.

6:15

If you haven't taken a look

6:17

yet at our Sansfire

6:19

lineup in July currently I count

6:21

three of our handlers teaching classes

6:24

there may be more I'll have

6:26

to double check again but the

6:28

Xavier Boyan and myself were

6:30

teaching class so hope to see some

6:32

of you there in person these class

6:35

are offered in person as

6:37

well as of course online but

6:39

we got some special things planned

6:41

sort of for the in-person part

6:43

so may want to check that

6:45

out and thanks and and talk

6:47

to you again tomorrow