SANS ISC Stormcast, Jan 21, 2025: Downloading Partial ZIP files; Remote Tools Used in Attakcs; Azure DevOps SSRF
Digest
This podcast covers several cybersecurity topics. First, it explains how to download only parts of large zip files using the HTTP range header, saving bandwidth. Next, it details a social engineering attack in Ukraine where attackers, posing as security auditors, gained access via AnyDesk by exploiting the organization's existing use of the software. The importance of user awareness training and authorization procedures is stressed. The podcast then analyzes a vulnerability in Azure DevOps tools, specifically a server-side request forgery (SSRF) attack that was successfully bypassed due to DNS rebinding. Finally, the podcast concludes by inviting listeners to provide feedback on the episode's content and suggest future topics.
Outlines
Efficient File Downloads & Social Engineering Attacks
The podcast introduces efficient partial zip file downloads using HTTP range headers and discusses a social engineering attack in Ukraine leveraging AnyDesk access, highlighting the need for robust security awareness training and authorization procedures.
Azure DevOps Vulnerability and DNS Rebinding
A vulnerability in Azure DevOps tools, a server-side request forgery (SSRF) attack bypassed by DNS rebinding, is explained. The persistence of DNS rebinding as a vulnerability is emphasized.
Conclusion and Feedback
The podcast concludes with a call for listener feedback on the episode's format, content, and suggestions for future topics.
Keywords
HTTP Range Header
An HTTP header enabling partial file downloads, saving bandwidth. Useful for large files or when only specific sections are needed.
Social Engineering
Manipulative techniques used to trick individuals into divulging confidential information or granting unauthorized access.
DNS Rebinding
An attack exploiting DNS hostname resolution to bypass same-origin policies and access unauthorized resources. A persistent web application vulnerability.
Server-Side Request Forgery (SSRF)
An attack where an attacker induces a server to make requests to an unintended host or service. Often used to access internal resources.
AnyDesk
Remote desktop software used in the described social engineering attack.
Azure DevOps
The platform where the discussed SSRF vulnerability was found.
Cybersecurity
The overarching theme of the podcast, encompassing all discussed topics.
Security Awareness Training
Crucial for mitigating social engineering attacks.
Q&A
How can I efficiently download only a specific file from a large zip archive?
Utilize the HTTP range header to specify the byte range of the desired file, downloading only that portion.
What are some effective countermeasures against social engineering attacks?
Implement robust awareness training for employees and establish clear procedures for authorizing remote assistance requests.
What is DNS rebinding, and why is it still a relevant vulnerability?
DNS rebinding exploits DNS hostname resolution to bypass security mechanisms; it persists because many security measures rely on hostnames and origin checks.
Show Notes
Partial ZIP File Downloads
A closer look at how attackers are leveraging partial ZIP file downloads to bypass file verification systems and plant malicious content.
https://isc.sans.edu/diary/Partial%20ZIP%20File%20Downloads/31608
Ukrainian CERT Advisory on AnyDesk Threat
The Ukrainian CERT provides detailed guidance on identifying and mitigating recent cyber threats exploiting AnyDesk for unauthorized access.
https://cert.gov.ua/article/6282069
Finding SSRFs in Azure DevOps
An in-depth analysis of how server-side request forgery (SSRF) vulnerabilities are discovered and exploited in Azure DevOps pipelines.
https://binarysecurity.no/posts/2025/01/finding-ssrfs-in-devops
Table of contents
United States
