Hello and welcome to the Monday, March 10th, 2025 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich and then I'm recording from Jacksonville, Florida.

In diaries this weekend, well, just a quick little diary about web shells.

Web shells certainly still a thing that actually came up as a question

in class last week. Yes, we do still see quite a bit of web shells. Now, many of these web shells

use kind of random names, but there are a couple that stick out for being propped quite a bit.

So probably want to check your web servers if these

files are present. But what you really need to do is nail down your production life cycle

of your web applications so you actually know what files are supposed to be on your web server.

And that makes it a lot easier to figure out,

well, if something got added. These web shells are typically being added either via file

upload vulnerabilities. That's a sort of more straightforward way, or what's also happening

quite a bit is that they're being uploaded using command injection vulnerabilities,

where essentially the attacker is just executing a W-Get, a curl command, or something like this,

in order to download the web shell to the system. Well, and this weekend at Routiccon in Madrid,

researchers from TAR Logic did present about some undocumented commands in the very popular ESP 32 chipset.

ESP 32 is made by expressive and it's a system on a chip so it has a CPU but also does have

Wi-Fi and Bluetooth interfaces and well it's extremely cheap like you can buy them on

eBay or Amazon for a couple dollars retail these chipsets show up in millions and millions of IoT devices,

so any problem with these chipsets is certainly concerning. The problem that Tarlogic found was that

there are a number of commands that can be sent over Bluetooth

that enable some hidden functionality, some of this functionality

...