SANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 12 May 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
Steganography Challenge
Didier revealed the solution to last weekend s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed.
https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/
FBI Warns of End-of-life routers
The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal activities.
https://www.ic3.gov/PSA/2025/PSA250507
ASUS Driverhub Vulnerability
ASUS Driverhub software does not properly check the origin of HTTP requests, allowing a CSRF attack from any website leading to arbitrary code execution.
https://mrbruh.com/asusdriverhub/
RV-Tools SEO Poisoning
Varonis Threat Labs observed SEO poisoning being used to trick system administrators into installing a malicious version of RV Tools. The malicious version includes a remote access tool leading to the theft of credentials
https://www.varonis.com/blog/seo-poisoning#initial-access-and-persistence
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, May 12, 2025 edition of the Sands and at Storm Sunners Stormcast. |
| 0:08.6 | My name is Johannes Ulrich and the time recording from Jacksonville, Florida. |
| 0:14.6 | This weekend, DDI posted the solution for last week's Stegonography Challenge. |
| 0:20.3 | This example used the similar encoding |
| 0:22.9 | as Didi presented in his past steganography diary, but with an interesting twist. Instead of |
| 0:30.4 | encoding the pixels in their normal order, meaning one line at a time of the image after another. Well, this one meant actually |
| 0:39.6 | vertical. So it did encode the data in the rows first and, well, then went over to the next |
| 0:47.1 | row. So in order to decode the data, you had to transpose it. And, well, imagine that |
| 0:53.0 | a D.D has a tool to transpose the data |
| 0:55.7 | for you and decode the image. For details, as usual, see DDA's diary. |
| 1:04.4 | And last week, the FBI published a press release that it is observing criminals using |
| 1:10.0 | compromised routers as proxies to build |
| 1:12.8 | infrastructure for criminal networks. Now, this is nothing fundamentally new, but in particular |
| 1:19.3 | they point out that the compromise of end-of-life devices is contributing to this, and of course, |
| 1:26.4 | those devices you can update one botnet identified |
| 1:30.8 | in this attack is the moon botnet a botnet we have first written about in february of 2014 |
| 1:39.3 | these router botnets have been very persistent and as I've pointed out multiple times before, |
| 1:46.3 | well, they keep mutating and they keep adding new vulnerabilities to their arsenal. |
| 1:52.3 | Remember to track the end-of-life date of your network parameter devices and add monthly |
| 1:58.9 | firmware update, check to your calendar for home device in particular |
| 2:03.7 | but may not even be a bad idea for some business particular small business devices to have |
| 2:09.5 | some setup where you're being reminded hey let me double check that particular router if |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.