Hello and welcome to the Friday, February 28th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Xavier today published a quick diary with a new version of the N.J. Rad matter that he found. And well, NJ. Rad in this

example is taking advantage of Microsoft death tunnels. This is activity that may go unnoticed

because it is a legitimate service. Sometimes as I've described living off the cloud

attacks. but essentially

Dev tunnels are meant for developers to help test web services. But of course, they can also

be used to relay other traffic, like in this case, the exfiltration of credentials. The domain

to look for here is Devtunnels.m.MS for sort of credentials. The domain to look for here is DevTunnels.m.m. MS for sort of Microsoft.

This particular domain is exclusively used for these Dev tunnels and, well, they're called

Dev tunnels because they're used for development, not necessarily for production software.

So unless you are actually actively developing software using death tunnels,

you probably shouldn't see that Domania network,

which makes a pretty good indicator of compromise here,

something to go hunting for.

And researchers at George Mason University came up with an interesting method to subvert

the Apple-Might-Find network.

This is the network that's being used to track air tags and other Apple devices.

In order for a device to be tracked, it needs a valid public-private key pair. The public key is

then being used to essentially send the lost message that's then being received and

relate by various Apple devices that are capable of participating in this My Find network.

The problem that these researchers have discovered is that it's actually not that

...