Shows
SANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, September 29th, 2025: Convert Timestamps; Cisco Compromises; GitHub Notification Phishing (#)SANS Stormcast Monday, September 29th, 2025: Convert Timestamps; Cisco Compromises; GitHub Notification Phishing Converting Timestamps in .bash_history Unix shells offer the ability to add timestamps to commands in the .bash_history file. This is often done in the form of Unix timestamps. This new tool converts these timestamps into a more readable format. https://isc.sans.edu/diary/New%20tool%3A%20convert-ts-bash-history.py/32324 Cisco ASA/FRD Compromises Exploitation of the vulnerabilities Cisco patched last week may have bone back about a year. Cisco and CISA have released advisories with help identifying affected devices. https://sec.cloudapps.cisco.com/security/center...
2025-09-2908 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details (#)SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details Webshells Hiding in .well-known Places Our honeypots registered an increase in scans for URLs in the .well-known directory, which appears to be looking for webshells. https://isc.sans.edu/diary/Webshells%20Hiding%20in%20.well-known%20Places/32320 Cisco Patches Critical Exploited Vulnerabilities Cisco released updates addressing already-exploited vulnerabilities in the VPN web server for the ASA and FTD appliances. https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB https...
2025-09-2605 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, September 25th, 2025: Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support (#)SANS Stormcast Thursday, September 25th, 2025: Hikvision Exploits; Cisco Patches; Sonicawall Anit-Rootkit Patch; Windows 10 Support Exploit Attempts Against Older Hikvision Camera Vulnerability Out honeypots observed an increase in attacks against some older Hikvision issues. A big part of the problem is weak passwords, and the ability to send credentials as part of the URL. https://isc.sans.edu/diary/Exploit%20Attempts%20Against%20Older%20Hikvision%20Camera%20Vulnerability/32316 Cisco Patches Already Exploited SNMP Vulnerability Cisco patched a stack-based buffer overflow in the SNMP subsystem. It is already exploited in the wild, but requires admin privileges to achieve code execution. https://sec.cloudapps.cisco...
2025-09-2505 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, September 24th, 2025: DoS against the Analyst; GitHub Improvements; Solarwinds and Supermicro BMC vulnerabilities (#)SANS Stormcast Wednesday, September 24th, 2025: DoS against the Analyst; GitHub Improvements; Solarwinds and Supermicro BMC vulnerabilities Distracting the Analyst for Fun and Profit Our undergraduate intern, Tyler House analyzed what may have been a small DoS attack that was likely more meant to distract than to actually cause a denial of service https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Distracting%20the%20Analyst%20for%20Fun%20and%20Profit/32308 GitHub’s plan for a more secure npm supply chain GitHub outlined its plan to harden the supply chain, in particular in light of the recent attack against npm packages https://github.blog/se...
2025-09-2407 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, September 23rd, 2025: Ivanti EPMM Exploit; GitHub Impersonation (#)SANS Stormcast Tuesday, September 23rd, 2025: Ivanti EPMM Exploit; GitHub Impersonation CISA Reports Ivanti EPMM Exploit Sightings Two different organizations submitted backdoors to CISA, which are believed to have been installed using Ivanti vulnerabilities patched in May. https://www.cisa.gov/news-events/analysis-reports/ar25-261a Lastpass Observes Impersonation on GitHub Lastpass noted a number of companies being impersonated via fake GitHub repositories in order to trick victims to download Mac malware. https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages Oracle Scheduler Ransomware Ransomware has been discovered that gained access to systems via an exposed Oracle Database Scheduler service. https://labs.yarix.com/2025/09...
2025-09-2304 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, September 22nd, 2025: Odd HTTP Reuqest; GoAnywhere MFT Bug; EDR Freeze (#)SANS Stormcast Monday, September 22nd, 2025: Odd HTTP Reuqest; GoAnywhere MFT Bug; EDR Freeze Help Wanted: What are these odd requests about? An odd request is hitting a number of our honeypots with a somewhat unusual HTTP request header. Please let me know if you no what the request is about. https://isc.sans.edu/forums/diary/Help+Wanted+What+are+these+odd+reuqests+about/32302/ Forta GoAnywhere MFT Vulnerability Forta’s GoAnywhere MFT product suffers from a critical deserialization vulnerability. Forta released an advisory disclosing the vulnerability on Thursday. https://www.fortra.com/security/advisories/product-security/fi-2025-012 EDR Freeze A ne...
2025-09-2209 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, September 19th, 2025: Honeypot File Analysis (@sans_edu); SonicWall Breach; DeepSeek Bias; Chrome 0-day (#)SANS Stormcast Friday, September 19th, 2025: Honeypot File Analysis (@sans_edu); SonicWall Breach; DeepSeek Bias; Chrome 0-day Exploring Uploads in a Dshield Honeypot Environment This guest diary by one of our SANS.edu undergraduate interns shows how to analyze files uploaded to Cowrie https://isc.sans.edu/diary/Exploring%20Uploads%20in%20a%20Dshield%20Honeypot%20Environment%20%5BGuest%20Diary%5D/32296 Sonicwall Breach SonicWall “MySonicWall” accounts were breached via credential brute forcing https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330 DeepSeek Bias Cloudflare found significant biases in code created by the Chinese AI engine DeepSeek. Code for organizations not aligned with China’s politics contained signif...
2025-09-1807 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, September 18th, 2025: DLL Hooking; Entra ID Actor Tokens; Watchguard and NVidia Patches (#)SANS Stormcast Thursday, September 18th, 2025: DLL Hooking; Entra ID Actor Tokens; Watchguard and NVidia Patches CTRL-Z DLL Hooking Attackers may use a simple reload trick to overwrite breakpoints left by analysts to reverse malicious binaries. https://isc.sans.edu/diary/CTRL-Z%20DLL%20Hooking/32294 Global Admin in every Entra ID tenant via Actor tokens As part of September’s patch Tuesday, Microsoft patched CVE-2025-55241. The discoverer of the vulnerability, Dirk-jan Mollema has published a blog post showing how this vulnerability could have been exploited. https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/ WatchGuard Firebox iked Out of Bounds Write Vulnerability CVE-2025-9242 WatchGuard patched an...
2025-09-1706 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, September 17th, 2025: Phishing Resistants; More npm Attacks; ChatGPT MCP abuse (#)SANS Stormcast Wednesday, September 17th, 2025: Phishing Resistants; More npm Attacks; ChatGPT MCP abuse Why You Need Phishing-Resistant Authentication NOW. The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a “simple” phishing email can be. https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290 S1ngularity/nx Attackers Strike Again A second wave of attacks has hit over a hundred npm-related GitHub repositories. The updated payload implements a worm that propagates itself to other repositories. https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again ChatGPT’s Calendar Integration Can Be Exploited to Steal...
2025-09-1608 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, September 16th, 2025: Apple Updates; Rust Phishing; Samsung 0-day (#)SANS Stormcast Tuesday, September 16th, 2025: Apple Updates; Rust Phishing; Samsung 0-day Apple Updates Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities. https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286 Microsoft End of Life October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will end. https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=As%20a%20reminder%2C%20Windows%2010,one%20that%20supports%20Windows%2011. https://techcommunity.microsoft.com/blog/exchange/t-9-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4366605 Phishing...
2025-09-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta (#)SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta Web Searches For Archives Didier observed additional file types being searched for as attackers continue to focus on archive files as they spider web pages https://isc.sans.edu/diary/Web%20Searches%20For%20Archives/32282 FBI Flash Alert: Salesforce Attacks The FBI is alerting users of Salesforce of two different threat actors targeting Salesforce. There are no new vulnerabilities disclosed, but the initial access usually takes advantage of social engineering or leaked data from the Salesdrift compromise. https://www.ic3.gov/CSA/2025/250912.pdf VSCode Cursor Extensions Malware Koe...
2025-09-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, September 12th, 2025: DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging (#)SANS Stormcast Friday, September 12th, 2025: DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging DShield SIEM Docker Updates Guy updated the “DShield SIEM” which graphically summarizes what is happening inside your honeypot. https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/32276 Again: Sonicwall SSL VPN Compromises The Australian Government’s Signals Directorate noted an increase in compromised Sonicwall devices. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia Website Keystroke Logging Many websites log every keystroke, not just data submitted in forms. https://arxiv.org/pdf/2508.19825 keywords: dshield; siem; sonicwall; website; keystroke; logging
2025-09-1206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, September 11th, 2025: BASE64 in DNS; Google Chrome, Ivantii and Sophos Patches; Apple Memory Integrity Feature (#)SANS Stormcast Thursday, September 11th, 2025: BASE64 in DNS; Google Chrome, Ivantii and Sophos Patches; Apple Memory Integrity Feature BASE64 Over DNS The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these “invalid” characters. https://isc.sans.edu/diary/BASE64%20Over%20DNS/32274 Google Chrome Update Google released an update for Google Chrome, addressing two vulnerabilities. One of the vulnerabilities is rated critical and may allow code execution. https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html Ivanti Updates Ivanti patched a number of vulnerabilities, several of them critical, across its product portfolio. https://forums.ivanti.com/s/ar...
2025-09-1107 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, September 10th, 2025: Microsoft Patch Tuesday; (#)SANS Stormcast Wednesday, September 10th, 2025: Microsoft Patch Tuesday; Microsoft Patch Tuesday As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270 Adobe Patches Adobe released patches for nine products, including Adobe Commerce, Coldfusion, and Acrobat. https://helpx.adobe.com/security/security-bulletin.html SAP Patches SAP patched vulnerabilities across its product portfolio. Particularly interesting are a few critical vulnerabilities in Netweaver, one...
2025-09-0908 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, September 9th, 2025: Major npm compromise; HTTP Request Signature (#)SANS Stormcast Tuesday, September 9th, 2025: Major npm compromise; HTTP Request Signature Major npm compromise A number of high-profile npm libraries were compromised after developers fell for a phishing email. This compromise affected libraries with a total of hundreds of millions of downloads a week. https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y
https://github.com/orgs/community/discussions/172738
https://github.com/chalk/chalk/issues/656#issuecomment-3266894253 https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised HTTP Request Signatures It looks like some search engines and AI bots are starting to use the HTTP request signature. This should make it easier to iden...
2025-09-0808 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, September 8th, 2025: YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches; (#)SANS Stormcast Monday, September 8th, 2025: YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches; From YARA Offsets to Virtual Addresses Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers. https://isc.sans.edu/diary/From%20YARA%20Offsets%20to%20Virtual%20Addresses/32262 Phishing via JavaScript in SVG Files Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript in SVG files. https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html FreePBX Patches FreePBX released details regarding two vulnerabilities patched last week. One of these vulnerabilities was already actively exploited. https://github.com/FreePBX/security-reporting/security/advisories...
2025-09-0705 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, September 5th, 2025: Cloudflare Response to 1.1.1.1 Certificate; AI Modem Namespace Reuse; macOS Vulnerability Allowed Keychain Decryption (#)SANS Stormcast Friday, September 5th, 2025: Cloudflare Response to 1.1.1.1 Certificate; AI Modem Namespace Reuse; macOS Vulnerability Allowed Keychain Decryption Unauthorized Issuance of Certificate for 1.1.1.1 Cloudflare published a blog post with more details regarding the bad 1.1.1.1 certificate that was issued by Fina. https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/ AI Model Namespace Reuse Deleted accounts on Huggingface can be taken over by other entities unrelated to the original owner. https://unit42.paloaltonetworks.com/model-namespace-reuse/ macOS vulnerability allowed Keychain and iOS app decryption without a password Excessive entitlements for the gcore binary facilitated access to key material that was sufficient to access...
2025-09-0408 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, September 4th, 2025: Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued (#)SANS Stormcast Thursday, September 4th, 2025: Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086 Our honeypots detected attacks against the manufacturing management system DELMIA Apriso. The deserialization vulnerability was patched in June and is one of a few critical vulnerabilities patched in recent months. https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Dassault%20DELMIA%20Apriso.%20CVE-2025-5086/32256 Android Bulletin Google released its September update, fixing two already-exploited privilege escalation flaws and some remote code execution issues. https://source.android.com/docs/security/bulletin/2025-09-01 Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina...
2025-09-0306 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, September 3rd, 2025: Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches (#)SANS Stormcast Wednesday, September 3rd, 2025: Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches A Quick Look at Sextortion at Scale Jan analyzed 1900 different sextortion messages using 205 different Bitcoin addresses to look at the success rate, lifetime, and other metrics defining these campaigns. https://isc.sans.edu/diary/A%20quick%20look%20at%20sextortion%20at%20scale%3A%201%2C900%20messages%20and%20205%20Bitcoin%20addresses%20spanning%20four%20years/32252 Azure AD Client Secret Leak Attackers are stealing Azure AD client secrets from websites that are leaving them exposed. https://www.resecurity.com/blog/article/azure-ad-client-secret-leak-the-keys-to-cloud Covert Channel via ICMP and DNS...
2025-09-0205 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, September 2nd, 2025: pdf-parser Patch; Salesloft Compromise; Velociraptor Abuse; NeuVector Default Password (#)SANS Stormcast Tuesday, September 2nd, 2025: pdf-parser Patch; Salesloft Compromise; Velociraptor Abuse; NeuVector Default Password pdf-parser: All Streams Didier released a new version of pdf-parser.py. This version fixes a problem with dumping all filtered streams. https://isc.sans.edu/diary/pdf-parser%3A%20All%20Streams/32248 Salesloft Drift Putting OAuth Tokens at Risk OAuth tokens used by Salesloft Drift users to provide access to integrations with Salesforce, Google Workspace, and others have been compromised and heavily abused for additional compromise and large-scale data exfiltration from exposed services. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift Velociraptor incident response tool abused for remote...
2025-09-0105 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, August 29th, 2025: Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch (#)SANS Stormcast Friday, August 29th, 2025: Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch Increasing Searches for ZIP Files Attackers are scanning our honeypots more and more for .zip files. They are looking for backups of credential files and the like left behind by careless administrators and developers. https://isc.sans.edu/diary/Increasing%20Searches%20for%20ZIP%20Files/32242 FreePBX Vulnerability An upatched vulnerability in FreePBX is currently being exploited. FreePBX offers mitigation advice and has also just released a “beta” patch. https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203 Passwordstate Vulnerability Clickstudios patched an authentication bypass vulnerability in its password manager, Passwordstate. The vuln...
2025-08-2905 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report (#)SANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report Interesting Technique to Launch a Shellcode Xavier came across malware that PowerShell and the CallWindowProcA() API to launch code. https://isc.sans.edu/diary/Interesting%20Technique%20to%20Launch%20a%20Shellcode/32238 NX Compromised to Steal Wallets and Credentials The popular open source NX build package was compromised. Code was added that uses the help of AI tools like Claude and Gemini to steal credentials from affected systems https://semgrep.dev/blog/2025/security-alert-nx-compromised-to-steal-wallets-and-credentials/ Countering Chinese State-Sponsored Actors’ Compromise of Networks Worldwide to Feed the Global Espionage System Several law enforcement an...
2025-08-2806 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited; (#)SANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited; Getting a Better Handle on International Domain Names and Punycode International Domain names can be used for phishing and other attacks. One way to identify suspect names is to look for mixed script use. https://isc.sans.edu/diary/Getting%20a%20Better%20Handle%20on%20International%20Domain%20Names%20and%20Punycode/32234 Citrix Netscaler Vulnerabilities CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 Citrix patched three vulnerabilities in Netscaler. One is already being exploited https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin...
2025-08-2705 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln (#)SANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln Reading Location Position Value in Microsoft Word Documents Jessy investigated how Word documents store the last visited document location in the registry. https://isc.sans.edu/diary/Reading%20Location%20Position%20Value%20in%20Microsoft%20Word%20Documents/32224 Weaponizing image scaling against production AI systems AI systems often downscale images before processing them. An attacker can create a harmless looking image that would reveal text after downscaling leading to prompt injection https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/ IBM Jazz Team Server Vulnerability CVE-2025-36157 IBM patched a...
2025-08-2605 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions (#)SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions The end of an era: Properly formatted IP addresses in all of our data. When initiall designing DShield, addresses were “zero padded”, an unfortunate choice. As of this week, datafeeds should no longer be “zero padded”. https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228 .desktop files used in an attack against Linux Desktops Pakistani attackers are using .desktop files to target Indian Linux desktops. https://www.cyfirma.com/research/apt36-targets...
2025-08-2506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln; (#)SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln; Don't Forget The "-n" Command Line Switch Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks. https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220 watchTowr releases details about recent Commvault flaws Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123 Docker Desktop Vulnerability CVE-2025-9074 A vulnerability in Docker Desktop allows attackers to...
2025-08-2206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking (#)SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking Airtel Router Scans and Mislabeled Usernames A quick summary of some odd usernames that show up in our honeypot logs https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216 Apple Patches 0-Day CVE-2025-43300 Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO. https://support.apple.com/en-us/124925 Microsoft Copilot Audit Logs A user retrieving data via copilot obscures the fact that the user may have had access to data in...
2025-08-2106 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues (#)SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues Increased Elasticsearch Recognizance Scans Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard. https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212 Microsoft Patch Tuesday Issues Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999 Details explaining how to...
2025-08-2006 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln; (#)SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln; Keeping an Eye on MFA Bombing Attacks Attackers will attempt to use authentication fatigue by “bombing” users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem. https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208 Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software. https://sec.cloudapps.cisco.com/secu...
2025-08-1905 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, August 18th, 2025: 5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln (#)SANS Stormcast Monday, August 18th, 2025: 5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks. https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202 Plex Vulnerability Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1. https://forums.plex.tv/t/plex-media-server-security-update/928341 FortiWeb...
2025-08-1705 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, August 15th, 2025: Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu (#)SANS Stormcast Friday, August 15th, 2025: Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu AI and Faster Attack Analysis A few use cases for LLMs to speed up analysis https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198 Proxyware Malware Being Distributed on YouTube Video Download Site Popular YouTube download sites will attempt to infect users with proxyware. https://asec.ahnlab.com/en/89574/ Xerox Freeflow Core Vulnerability Horizon3.ai discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform. These vulnerabilities a...
2025-08-1515 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches (#)SANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches CVE-2017-11882 Will Never Die The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email. https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196 Windows Kerberos Elevation of Privilege Vulnerability Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in...
2025-08-1407 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches (#)SANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/ libarchive Vulnerability A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc Adobe Patches Adobe released patches for 13 different products. https://helpx.adobe.com/security/Home.html keywords: adobe; libarchive; microsoft; patches;
2025-08-1208 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, August 12th, 2025: Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto; (#)SANS Stormcast Tuesday, August 12th, 2025: Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto; Erlang OTP SSH Exploits A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed. https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ WinRAR Exploited WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted. https://thehackernews.com/2025/08/winrar-zero-day-under-active.html Citrix Netscaler Exploit Updates The Dutch Center for Cyber...
2025-08-1106 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, August 11th, 2025: Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic (#)SANS Stormcast Monday, August 11th, 2025: Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic Google Paid Ads for Fake Tesla Websites Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products. https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186 Compromising USB Devices for Persistent Stealthy Access USB devices, like Linux-based web cams, can be compromised to emulate malicious USB devices like keyboards that inject malicious commands. https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/ Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS Internet-exposed DCs...
2025-08-1107 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, August 8th, 2025:: ASN43350 Mass Scans; HTTP1.1 Must Die; Hyprid Exchange Vuln; Sonicwall Update; SANS.edu Research: OSS Security and Shifting Left (#)SANS Stormcast Friday, August 8th, 2025:: ASN43350 Mass Scans; HTTP1.1 Must Die; Hyprid Exchange Vuln; Sonicwall Update; SANS.edu Research: OSS Security and Shifting Left Mass Internet Scanning from ASN 43350 Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350 https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments HTTP/1.1 Desync Attacks Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1 https://portswigger.net/research/http1-must-die Microsoft Warns of Exchange Server Vulnerability An attacker with admin access...
2025-08-0823 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches (#)SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches Do Sextortion Scams Still Work in 2025? Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work. https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178 Akira Ransomware Group’s use of Drivers Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/ Adobe Patches Critical Experience Manager Vulnerability Adobe released emergency patches for a vulnerability in Ad...
2025-08-0705 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, August 6th, 2025: Machinekeys and VIEWSTATEs; Perplexity Unethical Learning; SonicWall Updates (#)SANS Stormcast Wednesday, August 6th, 2025: Machinekeys and VIEWSTATEs; Perplexity Unethical Learning; SonicWall Updates Stealing Machinekeys for fun and profit (or riding the SharePoint wave) Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost. https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wave%29/32174 Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives Perplexity will change its User Agent, or use different originating IP addresses, if it detects being blocked from scanning websites...
2025-08-0507 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, August 05, 2025: Daily Trends Report; NVidia Triton RCE; Cursor AI Misconfiguration (#)SANS Stormcast Tuesday, August 05, 2025: Daily Trends Report; NVidia Triton RCE; Cursor AI Misconfiguration Daily Trends Report A new trends report will bring you daily data highlights via e-mail. https://isc.sans.edu/diary/New%20Feature%3A%20Daily%20Trends%20Report/32170 NVidia Triton RCE Wiz found an interesting information leakage vulnerability in NVidia’s Triton servers that can be leveraged to remote code execution. https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server Cursor AI MCP Vulnerability An attacker could abuse negligent Cursor MCP configurations to implement backdoors into developer machines. https://www.aim.security/lp/aim-labs-curxecute-blogpost keywords: cursor; mcp; nvidia; triton; rce; tr...
2025-08-0406 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Sunday, August 03, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day; (#)SANS Stormcast Sunday, August 03, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day; Scans for pop3user with guessable password A particular IP assigned to a network that calls itself “Unmanaged” has been scanning telnet/ssh for a user called “pop3user” with passwords “pop3user” or “123456”. I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled. https://isc.sans.edu/diary/Legacy%20May%20Kill/32166 Possible Sonicwall SSL VPN 0-Day Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, a...
2025-08-0405 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, August 1st, 2025: Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform (#)SANS Stormcast Friday, August 1st, 2025: Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform Scattered Spider Related Domain Names A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162 Excel External Workbook Links to Blocked File Types Will Be Disabled by Default Excel will discontinue allowing links to dangerous file types starting as early as October. https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58 CISA Releases Thorium CISA announced that it released...
2025-08-0105 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday July 31st, 2025: Firebase Security; WebKit Vuln Exploited; Scattered Spider Update (#)SANS Stormcast Thursday July 31st, 2025: Firebase Security; WebKit Vuln Exploited; Scattered Spider Update
Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome. https://nvd.nist.gov/vuln/detail/CVE-2025-6558 Scattered Spider Update CISA released an...
2025-07-3106 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday July 30th, 2025: Apple Updates; Python Triage; Papercut Vuln Exploited (#)SANS Stormcast Wednesday July 30th, 2025: Apple Updates; Python Triage; Papercut Vuln Exploited Apple Updates Everything: July 2025 Edition Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems. https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154 Python Triage A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise. https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/ PaperCut Attacks CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list. https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog keywords: papercut...
2025-07-3006 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, July 29th, 2025:Parasitic Exploits; Cisco ISE Exploit; MyASUS Vuln (#)SANS Stormcast Tuesday, July 29th, 2025:Parasitic Exploits; Cisco ISE Exploit; MyASUS Vuln Parasitic SharePoint Exploits We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers. https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148 Cisco ISE Vulnerability Exploited A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user. https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability MyAsus Vulnerablity The “MyAsus” tool does not store its access tokens correctly, potentially providing an attacker with access to s...
2025-07-2805 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, July 28th, 2025: Linux Namespaces; UI Automation Abuse; Autoswagger (#)SANS Stormcast Monday, July 28th, 2025: Linux Namespaces; UI Automation Abuse; Autoswagger Linux Namespaces Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed. https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144 Coyote in the Wild: First-Ever Malware That Abuses UI Automation Akamai identified malware that takes advantage of Microsoft’s UI Automation Framework to programatically interact with the user’s system and steal credentials. https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild Testing REST APIs with Autoswagger The tool...
2025-07-2805 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, July 25th, 2025: ficheck.py; Mital and SonicWall Patches (#)SANS Stormcast Friday, July 25th, 2025: ficheck.py; Mital and SonicWall Patches New File Integrity Tool: ficheck.py Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions. https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136 Mitel Vulnerability Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges. https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009...
2025-07-2405 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, July 24th, 2025: Reversing SharePoint Exploit; NPM “is” Compromise; (#)SANS Stormcast Thursday, July 24th, 2025: Reversing SharePoint Exploit; NPM “is” Compromise; Reversing SharePoint “Toolshell” Exploits CVE-2025-53770 and CVE-2025-53771 A quick walk-through showing how to decode the payload of recent SharePoint exploits https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138 Compromised JavaScript NPM “is” Package The popular npm package “is” was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours. https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack Microsoft Quick Machine Recovery Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, i...
2025-07-2406 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, July 23rd, 2025: Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches (#)SANS Stormcast Wednesday, July 23rd, 2025: Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771 Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ WinZip MotW Privacy Starting with version 7.10, WinZip introduced an option to no longer include the download URL in zip files as part of the Mark of the Web (MotW). https://isc.sans.edu/diary/WinRAR%20MoTW%20Propagation%20Privacy/32130 Interlock Ransomware Several government agencies collaborated to create an informative and comprehensive overview of the Interlock...
2025-07-2306 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, July 22nd, 2025: SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused (#)SANS Stormcast Tuesday, July 22nd, 2025: SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771 Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ How Quickly Are Systems Patched? Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough. https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126 HP...
2025-07-2206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday July 21st, 2025: Sharepoint Exploited; Veeam Fake Voicemail Phish; Passkey Phishing Attack (#)SANS Stormcast Monday July 21st, 2025: Sharepoint Exploited; Veeam Fake Voicemail Phish; Passkey Phishing Attack SharePoint Servers Exploited via 0-day CVE-2025-53770 Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited. https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/ Veeam Voicemail Phishing Attackers appear to impersonate VEEAM in recent voicemail-themed phishing attempts. https://isc.sans.edu/diary/Veeam%20Phishing%20via%20Wav%20File/32120 Passkey Phishing Attack A currently active phishing attack takes advantage of the ability to use QR codes to complete the Passkey login procedure https://expel...
2025-07-2108 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, July 18th, 2025: Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches (#)SANS Stormcast Friday, July 18th, 2025: Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches Hiding Payloads in Linux Extended File Attributes Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data. https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116 Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282 An unauthenticated user may execute arbitrary code as root...
2025-07-1804 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues (#)SANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues More Free File Sharing Services Abuse The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112 Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices...
2025-07-1705 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, July 16th, 2025: ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions (#)SANS Stormcast Wednesday, July 16th, 2025: ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions Keylogger Data Stored in an ADS Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108 Malvertising Homebrew An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker’s GitHub repo. https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc...
2025-07-1605 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, July 14th, 2025: Web Honeypot Log Volume; Browser Extension Malware; RDP Forensics (#)SANS Stormcast Monday, July 14th, 2025: Web Honeypot Log Volume; Browser Extension Malware; RDP Forensics DShield Honeypot Log Volume Increase Within the last few months, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from Jesse’s residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that Jesse runs. https://isc.sans.edu/diary/DShield+Honeypot+Log+Volume+Increase/32100 Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware. Koi Security’s investigation of a single “verified” color picker exposed a...
2025-07-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, July 14th, 2025: Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer (#)SANS Stormcast Monday, July 14th, 2025: Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer Experimental Suspicious Domain Feed Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes. https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102 Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812 Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-ex...
2025-07-1406 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches; (#)SANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches; SSH Tunneling in Action: direct-tcp requests Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks. https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094 Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257) An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89...
2025-07-1105 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches; (#)SANS Stormcast Thursday, July 10th, 2025: Internal CA with ACME; TapJacking on Android; Adobe Patches; Setting up Your Own Certificate Authority for Development: Why and How. Some tips on setting up your own internal certificate authority using the smallstep CA. https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092 Animation-Driven Tapjacking on Android Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications. https://taptrap.click/usenix25_taptrap_paper.pdf Adobe Patches Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion...
2025-07-1005 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, July 9th, 2025: Microsoft Patches; Opposum Attack; (#)SANS Stormcast Wednesday, July 9th, 2025: Microsoft Patches; Opposum Attack; Microsoft Patch Tuesday, July 2025 Today, Microsoft released patches for 130 Microsoft vulnerabilities and 9 additional vulnerabilities not part of Microsoft's portfolio but distributed by Microsoft. 14 of these are rated critical. Only one of the vulnerabilities was disclosed before being patched, and none of the vulnerabilities have so far been exploited. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%2C%20July%202025/32088 Opposum Attack If a TLS server is configured to allow switching from HTTP to HTTPS on a specific port, an attacker may be able to inject a request into the data stream. https://op...
2025-07-0907 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams (#)SANS Stormcast Tuesday, July 8th, 2025: Detecting Filename (Windows); Atomic Stealer now with Backdoor; SEO Scams What’s My File Name Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084 Atomic macOS infostealer adds backdoor for persistent attacks Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. https://moonlock.com/amos-backdoor-persistent-access HOUKEN SEEKING A PATH BY LIVING ON...
2025-07-0805 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, July 7th, 2025: interesting usernames; More sudo issues; CitrixBleed2 PoC; Short Lived Certs (#)SANS Stormcast Monday, July 7th, 2025: interesting usernames; More sudo issues; CitrixBleed2 PoC; Short Lived Certs Interesting ssh/telnet usernames Some interesting usernames observed in our honeypots https://isc.sans.edu/diary/A%20few%20interesting%20and%20notable%20ssh%20telnet%20usernames/32080 More sudo trouble The host option in Sudo can be exploited to execute commands on unauthorized hosts. https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host CitrixBleed2 PoC Posted (CVE-2025-5777) WatchTwer published additional details about the recently patched CitrixBleed vulnerability, including a PoC exploit. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ Instagram Using Six Day Certificates Instagram changes their TLS certificates daily and th...
2025-07-0605 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday July 3rd, 2025: sudo problems; polymorphic zip files; cisco vulnerablity (#)SANS Stormcast Thursday July 3rd, 2025: sudo problems; polymorphic zip files; cisco vulnerablity Sudo chroot Elevation of Privilege The sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no sudo rules are defined for that user. https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot Polymorphic ZIP Files A zip file with a corrupt End of Central Directory Record may extract different data depending on the tool used to extract the files. https://hackarcana.com/article/yet-another-zip-trick Cisco Unified Communications Manager Static SSH Credentials Vulnerability A vulnerability in Cisco Unified Communications Manager (Unified CM) and...
2025-07-0205 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday June 30th, 2025: Scattered Spider; AMI BIOS Exploited; Secure Boot Certs Expiring; Microsoft Resliliency Initiative (#)SANS Stormcast Monday June 30th, 2025: Scattered Spider; AMI BIOS Exploited; Secure Boot Certs Expiring; Microsoft Resliliency Initiative Scattered Spider Update The threat actor known as Scattered Spider is in the news again, this time focusing on airlines. But the techniques used by Scattered Spider, social engineering, are still some of the most dangerous techniques used by various threat actors. https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations?e=48754805 AMI BIOS Vulnerability Exploited CVE-2024-54085 A vulnerability in the Redfish remote access software, including AMI’s BIOS, is now being exploited. https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf ht...
2025-06-2907 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, June 27th, 2025: Open-VSX Flaw; Airoha Bluetooth Vulnerablity; Critical Cisco Identity Service Engine Vuln; (#)SANS Stormcast Friday, June 27th, 2025: Open-VSX Flaw; Airoha Bluetooth Vulnerablity; Critical Cisco Identity Service Engine Vuln; Open-VSX Flaw Puts Developers at Risk A flaw in the open-vsx extension marketplace could have let to the compromise of any extension offered by the marketplace. https://blog.koi.security/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-f0f8cf104d44 Bluetooth Vulnerability Could Allow Eavesdropping A vulnerability in the widely used Airoha Bluetooth chipset can be used to compromise devices and use them for eavesdropping. https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ Critical Cisco Identity Services Engine Vulnerability Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC...
2025-06-2606 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, June 26th, 2025: Another Netscaler Vuln; CentOS Web Panel Vuln; IP Based Certs (#)SANS Stormcast Thursday, June 26th, 2025: Another Netscaler Vuln; CentOS Web Panel Vuln; IP Based Certs NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543 Citrix patched a memory overflow vulnerability leading to unintended control flow and denial of service. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 Remote code execution in CentOS Web Panel - CVE-2025-48703 An arbitrary file upload vulnerability in the user (not admin) part of Web Panel can be used to execute arbitrary code https://fenrisk.com/rce-centos-webpanel Gogs Arbitrary File Deletion Vulnerability Due to the insufficient patch for the CVE-2024-39931, it's still p...
2025-06-2505 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, June 24th, 2025: Telnet/SSH Scan Evolution; Fake Sonicwall Software; File-Fix vs Click-Fix (#)SANS Stormcast Tuesday, June 24th, 2025: Telnet/SSH Scan Evolution; Fake Sonicwall Software; File-Fix vs Click-Fix Quick Password Brute Forcing Evolution Statistics After collecting usernames and passwords from our ssh and telnet honeypots for about a decade, I took a look back at how scans changed. Attackers are attempting more passwords in each scans than they used to, but the average length of passwords did not change. https://isc.sans.edu/diary/Quick%20Password%20Brute%20Forcing%20Evolution%20Statistics/32068 Introducing FileFix – A New Alternative to ClickFix Attacks Attackers may trick the user into copy/pasting strings into file explorer, which will execute co...
2025-06-2404 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, June 24th, 2025: Ichano ATHome IP Camera Scans; Netscaler Vulnerability; WinRar Vulnerability (#)SANS Stormcast Tuesday, June 24th, 2025: Ichano ATHome IP Camera Scans; Netscaler Vulnerability; WinRar Vulnerability Scans for Ichano AtHome IP Cameras A couple days ago, a few sources started scanning for the username super_yg and the password 123. This is associated with Ichano IP Camera software. https://isc.sans.edu/diary/Scans%20for%20Ichano%20AtHome%20IP%20Cameras/32062 Critical Netscaler Security Update CVE-2025-5777 CVE 2025-5777 is a critical severity vulnerability impacting NetScaler Gateway, i.e. if NetScaler has been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console...
2025-06-2305 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, June 23rd, 2025: ADS and Python; More Secure Cloud PCs; Zend.to Path Traversal; Parser Differentials (#)SANS Stormcast Monday, June 23rd, 2025: ADS and Python; More Secure Cloud PCs; Zend.to Path Traversal; Parser Differentials ADS & Python Tools Didier explains how to use his tools cut-bytes.py and filescanner to extract information from alternate data streams. https://isc.sans.edu/diary/ADS%20%26%20Python%20Tools/32058 Enhanced security defaults for Windows 365 Cloud PCs Microsoft announced more secure default configurations for its Windows 365 Cloud PC offerings. https://techcommunity.microsoft.com/blog/windows-itpro-blog/enhanced-security-defaults-for-windows-365-cloud-pcs/4424914 CVE-2025-34508: Another File Sharing Application, Another Path Traversal Horizon3 reveals details of a recently patched directory traversal vulnerability in zend.to. https://horizon3.ai/attack-research...
2025-06-2205 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, June 20th, 2025: New Employee Phishing; Malicious Tech Support Links; Social Engineering App Sepecific Passwords (#)SANS Stormcast Friday, June 20th, 2025: New Employee Phishing; Malicious Tech Support Links; Social Engineering App Sepecific Passwords How Long Until the Phishing Starts? About Two Weeks After setting up a Google Workspace and adding a new user, it took only two weeks for the new employee to receive somewhat targeted phishing emails. https://isc.sans.edu/diary/How%20Long%20Until%20the%20Phishing%20Starts%3F%20About%20Two%20Weeks/32052 Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone numbers Scammers are placing Google ads that point to legitimate companies’ sites, but are injecting malicious text into th...
2025-06-1905 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, June 16th, 2025: Extracing Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC (#)SANS Stormcast Monday, June 16th, 2025: Extracing Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC Extracting Data From JPEGs Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048 Windows Recall Export in Europe In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled. https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11...
2025-06-1605 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, June 16th, 2025: Katz Stealer in JPG; JavaScript Attacks; Reviving expired Discord Invites for Evil (#)SANS Stormcast Monday, June 16th, 2025: Katz Stealer in JPG; JavaScript Attacks; Reviving expired Discord Invites for Evil Katz Stealer in JPG Xavier found some multistage malware that uses an Excel Spreadsheet and an HTA file to load an image that includes embeded a copy of Katz stealer. https://isc.sans.edu/diary/More+Steganography/32044 https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/ JavaScript obfuscated with JSF*CK is being used on over 200,000 websites to direct victims to malware Expired Discord Invite Links Used for Malware Distribution Expired discord invite links are revived as vanity links to direct victims to malware sites https://research...
2025-06-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, June 13th, 2025: Honeypot Scripts; EchoLeak MSFT Copilot Vuln; Thunderbolt mailbox URL Vuln; (#)SANS Stormcast Friday, June 13th, 2025: Honeypot Scripts; EchoLeak MSFT Copilot Vuln; Thunderbolt mailbox URL Vuln; Automated Tools to Assist with DShield Honeypot Investigations https://isc.sans.edu/diary/Automated%20Tools%20to%20Assist%20with%20DShield%20Honeypot%20Investigations%20%5BGuest%20Diary%5D/32038 EchoLeak: Zero-Click Microsoft 365 Copilot Data Leak Microsoft fixed a vulnerability in Copilot that could have been abused to exfiltrate data from Copilot users. Copilot mishandled instructions an attacker included in documents inspected by Copilot and executed them. https://www.aim.security/lp/aim-labs-echoleak-blogpost Thunderbolt Vulnerability Thunderbolt users may be tricked into downloading arbitrary files if an email includes a mailbox:/// URL...
2025-06-1205 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, June 12th, 2025: Quasar RAT; Windows 11 24H2 Delay; SMB Client Vuln PoC; Connectwise Signing Keys; KDE Telnet code exec (#)SANS Stormcast Thursday, June 12th, 2025: Quasar RAT; Windows 11 24H2 Delay; SMB Client Vuln PoC; Connectwise Signing Keys; KDE Telnet code exec Quasar RAT Delivered Through Bat Files Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT. https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036 Delayed Windows 11 24H2 Rollout Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes. https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570 An In-Depth Analysis of CVE-2025-33073 Patch...
2025-06-1106 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, June 11th, 2025: Microsoft Patch Tuesday; Acrobat Patches (#)SANS Stormcast Wednesday, June 11th, 2025: Microsoft Patch Tuesday; Acrobat Patches Microsoft Patch Tuesday Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032 Adobe Vulnerabilities Adobe released patches for 7 different applications. Two significant ones are Adobe Commerce and Adobe Acrobat Reader. All vulnerabilities patched for Adobe Commerce can only be exploited by an authenticated user. The Adobe Acrobat Reader vulnerabilities are exploited by a user opening a crafted PDF, and the exploit may execute...
2025-06-1006 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast June, Tuesday, June 10th, 2025: Octosql; Mirai vs. Wazuh DNS4EU; Wordpress Fair Package Manager (#)SANS Stormcast June, Tuesday, June 10th, 2025: Octosql; Mirai vs. Wazuh DNS4EU; Wordpress Fair Package Manager OctoSQL & Vulnerability Data OctoSQL is a neat tool to query files in different formats using SQL. This can, for example, be used to query the JSON vulnerability files from CISA or NVD and create interesting joins between different files. https://isc.sans.edu/diary/OctoSQL+Vulnerability+Data/32026 Mirai vs. Wazuh The Mirai botnet has now been observed exploiting a vulnerability in the open-source EDR tool Wazuh. https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability DNS4EU The European Union created its own public recursive resolver...
2025-06-0906 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast June, June 9th, 2025: Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script (#)SANS Stormcast June, June 9th, 2025: Extracting PNG Data; GlueStack Packages Backdoor; MacOS targeted by Clickfix; INETPUB restore script Extracting With pngdump.py Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file. https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022 16 React Native Packages for GlueStack Backdoored Overnight 16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks. https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem Atomic MacOS Stealer Exploits Clickfix MacOS users...
2025-06-0905 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, June 6th, 2025: Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch (#)SANS Stormcast Friday, June 6th, 2025: Fake Zoom Clients; Python tarfile vulnerability; HPE Insight Remote Support Patch Be Careful With Fake Zoom Client Downloads Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an “update” to the Zoom client. https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014 Python tarfile Vulnerability Recently, the Python tarfile module introduced a “filter” option to help mitigate some of the insecure behavior common to software unpacking archives. This filter i...
2025-06-0505 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, June 5th, 2025: Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released (#)SANS Stormcast Thursday, June 5th, 2025: Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released Phishing e-mail that hides malicious links from Outlook users Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email’s HTML code. Jan suggests that the phishing email is intented to not expose users of https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010 Amazon changing default logging from blocking to non-blocking Amazon wil...
2025-06-0505 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, June 4th, 2025: vBulletin Exploited; Chrome 0-Day Patch; Roundcube RCE Patch; Multiple HP StoreOnce Vulns Patched (#)SANS Stormcast Wednesday, June 4th, 2025: vBulletin Exploited; Chrome 0-Day Patch; Roundcube RCE Patch; Multiple HP StoreOnce Vulns Patched vBulletin Exploits CVE-2025-48827, CVE-2025-48828 We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched. https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006 Google Chrome 0-Day Patched Google released a security update for Google Chrome patching three flaws. One of these is already being...
2025-06-0307 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, June 3rd, 2025: Windows SSH C2; Google Removes CAs from trusted list; MSFT issues Emergency Patch to fix Crash issue; Qualcom Adreno GPU 0-day (#)SANS Stormcast Tuesday, June 3rd, 2025: Windows SSH C2; Google Removes CAs from trusted list; MSFT issues Emergency Patch to fix Crash issue; Qualcom Adreno GPU 0-day Simple SSH Backdoor Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host. https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000 Google Chrome...
2025-06-0206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, May 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit (#)SANS Stormcast Monday, May 2nd, 2025: PNG with RAT; Cisco IOS XE WLC Exploit; vBulletin Exploit A PNG Image With an Embedded Gift Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit. https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998 Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code. https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025...
2025-06-0105 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, May 30th 2025: Alternate Data Streams; Connectwise Breach; Google Calendar C2; (#)SANS Stormcast Friday, May 30th 2025: Alternate Data Streams; Connectwise Breach; Google Calendar C2; Alternate Data Streams: Adversary Defense Evasion and Detection Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse. https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990 Connectwise Breach Affects ScreenConnect Customers Connectwise’s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions. https://www.connectwise.com/company/tr...
2025-05-3013 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday May 29th 2025: LLM Assisted Analysis; MSP Ransomware; Everetz Vulnerability (#)SANS Stormcast Thursday May 29th 2025: LLM Assisted Analysis; MSP Ransomware; Everetz Vulnerability Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack Jennifer Wilson took a “weird string” found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about. https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Exploring%20a%20Use%20Case%20of%20Artificial%20Intelligence%20Assistance%20with%20Understanding%20an%20Attack/31980 Ransomware Deployed via SimpleHelp Vulnerabilities Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victim’s networks via MSPs. The exploited vulnerabilities were patched in January. https://news.sophos.com/en-us...
2025-05-2806 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday May 28th 2025: Securing authorized_keys; ADAuditPlus SQL Injection; Dero Miner vs Docker API (#)SANS Stormcast Wednesday May 28th 2025: Securing authorized_keys; ADAuditPlus SQL Injection; Dero Miner vs Docker API SSH authorized_keys File One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems. https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986 REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008) Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability https://www.onekey.com/resource...
2025-05-2806 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, May 27th 2025: SVG Steganography; Fortinet PoC; GitLab Duo Prompt Injection (#)SANS Stormcast Tuesday, May 27th 2025: SVG Steganography; Fortinet PoC; GitLab Duo Prompt Injection SVG Steganography Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG. https://isc.sans.edu/diary/SVG%20Steganography/31978 Fortinet Vulnerability Details CVE-2025-32756 Horizon3.ai shows how it was able to find the vulnerability in Fortinet’s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/ Remote Prompt Injection in GitLab Duo Leads to Source Co...
2025-05-2607 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, May 23rd 2025: Backup Connectivity; Windows 2025 dMSA Abuse; Samlify Vulnerability (#)SANS Stormcast Friday, May 23rd 2025: Backup Connectivity; Windows 2025 dMSA Abuse; Samlify Vulnerability Resilient Secure Backup Connectivity for SMB/Home Users Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse. https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972 BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account...
2025-05-2207 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, May 22nd 2025: Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome (#)SANS Stormcast Thursday, May 22nd 2025: Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome New Variant of Crypto Confidence Scam Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive “VIP” memberships to withdraw the money. https://isc.sans.edu/diary/New%20Variant%20of%20Crypto%20Confidence%20Scam/31968 Malicious Chrome Extensions Malicious Chrome extensions mimick popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets https://dti.domaintools.com/dual-function-malware-chrome-extensions/ Malicious VS Code Extensions Malicious Visual Stud...
2025-05-2106 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, May 21st 2025: Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulneraiblity (#)SANS Stormcast Wednesday, May 21st 2025: Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulneraiblity Researchers Scanning the Internet A “newish” RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964 Cloudy with a change of Hijacking: Forgotten DNS Records Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take poss...
2025-05-2007 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, May 20th 2025: AutoIT Code RAT; Fake Keepass Download; Procolored Printer Software Compromise (#)SANS Stormcast Tuesday, May 20th 2025: AutoIT Code RAT; Fake Keepass Download; Procolored Printer Software Compromise RAT Dropped By Two Layers of AutoIT Code Xavier explains how AutoIT was used to install a remote admin tool (RAT) and how to analyse such a tool https://isc.sans.edu/diary/RAT%20Dropped%20By%20Two%20Layers%20of%20AutoIT%20Code/31960 RVTools compromise confirmed Robware.net, the site behind the popular tool RVTools now confirmed that it was compromised. The site is currently offline. https://www.robware.net/readMore Trojaned Version of Keepass used to install info stealer and Cobalt Strike beacon A backdoored version...
2025-05-1906 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, May 18th 2025: xorsearch python functions; pwn2own Berlin; senior govt official impersonation; dynamic domain risk (#)SANS Stormcast Monday, May 18th 2025: xorsearch python functions; pwn2own Berlin; senior govt official impersonation; dynamic domain risk xorsearch.py: Python Functions Didier’s xorsearch tool now supports python functions to filter output https://isc.sans.edu/diary/xorsearch.py%3A%20Python%20Functions/31858 Pwn2Own Berlin 2025 Last weeks Pwn2Own contest in Berlin allowed researchers to demonstrate a number of new exploits with a large focus on privilege escalation and virtual machine escape. https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results Senior US Officials Impersonated in Malicious Messaging Campaign The FBI warns of senior US officials being impersonated in text an...
2025-05-1806 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, May 16th: Increase in Sonicwall Scans; RVTools Compromised?; RountPress (#)SANS Stormcast Friday, May 16th: Increase in Sonicwall Scans; RVTools Compromised?; RountPress Web Scanning SonicWall for CVE-2021-20016 - Update Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from “Global Host”, a low-cost virtual hosting provider. https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952 Google Update Patches Exploited Chrome Flaw Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild. http...
2025-05-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, May 15th: Google Open Redirects; Adobe, Ivanti, and Samsung patches (#)SANS Stormcast Thursday, May 15th: Google Open Redirects; Adobe, Ivanti, and Samsung patches Another day, another phishing campaign abusing google.com open redirects Google’s links from it’s maps page to hotel listings do suffer from an open redirect vulnerability that is actively exploited to direct users to phishing pages. https://isc.sans.edu/diary/Another%20day%2C%20another%20phishing%20campaign%20abusing%20google.com%20open%20redirects/31950 Adobe Patches Adobe patched 12 different applications. Of particular interest is the update to ColdFusion, which fixes several arbitrary code execution and arbitrary file read problems. https://helpx.adobe.com/security/security-bulletin.html Samsung Patc...
2025-05-1506 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, May 14th: Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products (#)SANS Stormcast Wednesday, May 14th: Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products Microsoft Patch Tuesday Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428) Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability...
2025-05-1306 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans; (#)SANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans; Apple Updates Everything Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS. https://isc.sans.edu/diary/31942 It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability. https://isc.sans.edu...
2025-05-1206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning (#)SANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning Steganography Challenge Didier revealed the solution to last weekend’s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed. https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/ FBI Warns of End-of-life routers The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal ac...
2025-05-1206 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch (#)SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch No Internet Access: SSH to the Rescue If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932 SAMSUNG magicINFO 9 Server Flaw Still exploitable The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild. https://www.huntress.com/blog...
2025-05-0904 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch (#)SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch Example of Modular Malware Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail. https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928 Sysaid XXE Vulnerabilities IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Cisco IOS...
2025-05-0805 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning (#)SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning Python InfoStealer with Embedded Phishing Webserver Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites. https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924 Android Update Fixes Freetype 0-Day Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts. https...
2025-05-0706 minSANS Internet Storm Center's Daily Network Security News PodcastSANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; (#)SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399 The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung’s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far. https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920 New Kali Linux Signing Key The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that wi...
2025-05-0606 min
MENOMIO - Der Podcast für glückliche Wechseljahre35_Verhütung in den Wechseljahren: Im Gespräch mit Johannes Ott
In dieser Episode spricht Daniela mit Johannes Ott, Leiter der klinischen Abteilung für gynäkologische Endokrinologie am AKH Wien. Im Fokus steht die Verhütung in den Wechseljahren – ein Thema, das viele Frauen verunsichert. Johannes Ott erklärt, warum auch in der Perimenopause Verhütung notwendig sein kann, welche hormonellen und nicht-hormonellen Methoden es gibt und worauf man dabei achten sollte. Außerdem beleuchtet er die Auswirkungen hormoneller Verhütungsmethoden auf die Wechseljahre und wie individuelle Bedürfnisse berücksichtigt werden können.
Themen der Folge:
Verhütung in den Wechseljahren: Warum Verhütung in der Perimenopa...
2024-04-2640 min.jpg)
Football Hautnah! - ELF, GFL & NFL: Einblicke vom CoachGespräche mit AFVD + ELF News & Jan Ullrich - Wie gefährlich ist Doping? (#95).00:00 Challenge bis Weihnachten – Was passt zu dir?
07:55 Jan Ullrich – Wie gefährlich ist Doping?
21:48 Johannes hatte seinen letzten Arbeitstag im Großkonzern
26:45 Power House Camp bei Martin im Fitnessstudio
34:22 Martin‘s Gespräch mit neuem AFVD Präsidium & GFL News
40:50 ELF News – Spielerwechsel & neue US-Coaches
50:00 49ers gegen Eagles – Martin’s Erkenntnisse aus der Coaches Cam
-----------
Schicke uns gerne deine Fragen.
Kontaktiere uns hier (auch via Sprachnachricht)
& weitere Infos zu Martin und Johannes oder dem CTK Sportpark:
https://linktr.e...
2023-12-071h 03