SANS Internet Storm Center's Daily Network Security News Podcast

SANS Stormcast Monday Feb 24th: sigs.py update; Google Introdusing Quantum Safe Sigs; MSFT Update Win 11 issues; LTE/5G Vulns; Tool Update: Sigs.py Jim updates sigs.py. The tool verifies hashes for files and automatically recognizes what hash is used. https://isc.sans.edu/diary/Tool%20update%3A%20sigs.py%20-%20added%20check%20mode/31706 Google Announcing Quantum Safe Digital Signatures in Cloud KMS Google announced the option to use quantum safe digital signatures for its cloud key management system. https://cloud.google.com/blog/products/identity-security/announcing-quantum-safe-digital-signatures-in-cloud-kms Windows 11 Patch issues The February Patch Tuesday appears to have caused issues with a number of Windows 11 systems. In particular the usability of the file manager appears to be affected. https://www.windowslatest.com/2025/02/16/windows-11-kb5051987-breaks-file-explorer-install-fails-on-windows-11-24h2/ LTE/5G Vulnerabilities Researchers at the university of Florida have identified a large number of vulnerabilities in 5G and LTE networks. https://nathanielbennett.com/publications/ransacked.pdf keywords: ransacked; lte; 5g; windows 11; microsoft; patches; quantum; google; kms; signatures; hashes; sigs.py

SANS Stormcast Friday Feb 21st: Kibana Queries; Mongoose Injection; U-Boot Flaws; Unifi Protect Camera Vulnerabilities; Protecting Network Devices as Endpoint (Austin Clark @sans_edu) Using ES|QL In Kibana to Query DShield Honeypot Logs Using the "Elastic Search Piped Query Language" to query DShield honeypot logs https://isc.sans.edu/diary/Using%20ES%7CQL%20in%20Kibana%20to%20Queries%20DShield%20Honeypot%20Logs/31704 Mongoose Flaws Put MongoDB at risk The Object Direct Mapping library Mongoose suffers from an injection vulnerability leading to the potenitial of remote code exeuction in MongoDB https://www.theregister.com/2025/02/20/mongoose_flaws_mongodb/ U-Boot Vulnerabilities The open source boot loader U-Boot does suffer from a number of issues allowing the bypass of its integrity checks. This may lead to the execution of malicious code on boot. https://www.openwall.com/lists/oss-security/2025/02/17/2 Unifi Protect Camera Update https://community.ui.com/releases/Security-Advisory-Bulletin-046-046/9649ea8f-93db-4713-a875-c3fd7614943f keywords: unifi; protect; u-boot; honeypot; kibana; logs;

SANS Stormcast Wednesday Feb 20th: XWorm Cocktail; Quantum Computing Breakthrough; Signal Phishing XWorm Cocktail: A Mix of PE data with PowerShell Code Quick analysis of an interesting XWrom sample with powershell code embedded inside an executable https://isc.sans.edu/diary/XWorm+Cocktail+A+Mix+of+PE+data+with+PowerShell+Code/31700 Microsoft's Majorana 1 Chip Carves New Path for Quantum Computing Microsoft announced a breack through in Quantum computing. Its new prototype Majorana 1 chip takes advantage of exotic majorana particles to implement a scalable low error rate solution to building quantum computers https://news.microsoft.com/source/features/ai/microsofts-majorana-1-chip-carves-new-path-for-quantum-computing/ Russia Targeting Signal Messenger Signal is well regarded as a secure end to end encrypted messaging platform. However, a user may be tricked into providing access to their account by scanning a QR code masquerading as a group channel invitation. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/ keywords: russia; signal; ukraine; quantum; majorana; xworm; powershell

SANS Stormcast Tuesday Feb 19th: ModelScan AI Model Security; OpenSSH Vuln; Juniper Patches; Dell BIOS Vulnerability ModelScan: Protection Against Model Serialization Attacks ModelScan is a tool to inspect AI models for deserialization attacks. The tool will detect suspect commands and warn the user. https://isc.sans.edu/diary/ModelScan%20-%20Protection%20Against%20Model%20Serialization%20Attacks/31692 OpenSSH MitM and DoS Vulnerabilities OpenSSH Patched two vulnerabilities discovered by Qualys. One may be used for MitM attack in specfic configurations of OpenSSH. https://www.qualys.com/2025/02/18/openssh-mitm-dos.txt Juniper Authentication Bypass Juniper fixed an authentication bypass vulnerability that affects several prodcuts. The patch was released outside the normal patch schedule. https://supportportal.juniper.net/s/article/2025-02-Out-of-Cycle-Security-Bulletin-Session-Smart-Router-Session-Smart-Conductor-WAN-Assurance-Router-API-Authentication-Bypass-Vulnerability-CVE-2025-21589?language=en_US DELL BIOS Patches DELL released BIOS updates fixing a privilege escalation issue. The update affects a large part of Dell's portfolio https://www.dell.com/support/kbdoc/en-en/000258429/dsa-2025-021 keywords: dell, bios; juniper; openssh; modelscan;

SANS Stormcast: Securing the Edge; PostgreSQL Exploit; Ivanti Exploit; WinZip Vulnerablity; Xerox Patch My Very Personal Guidance and Strategies to Protect Network Edge Devices A quick summary to help you secure edge devices. This may be a bit opinionated, but these are the strategies that I find work and are actionable. https://isc.sans.edu/diary/My%20Very%20Personal%20Guidance%20and%20Strategies%20to%20Protect%20Network%20Edge%20Devices/31660 PostgreSQL SQL Injection A followup to yesterday's segment about the PostgreSQL vulnerability. Rapid7 released a Metasploit module to exploit the vulnerability. https://github.com/rapid7/metasploit-framework/pull/19877 Ivanti Connect Secure Exploited The Japanese CERT observed exploitation of January's Connect Secure vulnerability https://blogs.jpcert.or.jp/ja/2025/02/spawnchimera.html WinZip Vulnerability WinZip patched a buffer overflow vulenrability that may be triggered by malicious 7Z files https://www.zerodayinitiative.com/advisories/ZDI-25-047/ Xerox Printer Patch Xerox patched two vulnerabililites in its enterprise multifunction printers that may be exploited for lateral movement. https://securitydocs.business.xerox.com/wp-content/uploads/2025/02/Xerox-Security-Bulletin-XRX25-003-for-Xerox-VersaLinkPhaser-and-WorkCentre.pdf keywords: xerox; winzip; ivanti; connect secure; postgresql; sql; edge;

SANS Stormcast Monday Feb 17th: Fake BSOD; Volatile IPs; Postgresql libpq SQL Injection; OAUTH Phishing Fake BSOD Delivered by Malicious Python Script Xavier found an odd malicious Python script that displays a blue screen of death to users. The purpose isn't quite clear. It could be a teach support scam tricking users into calling the 800 number displayed, or a simple anti-reversing trick https://isc.sans.edu/diary/Fake%20BSOD%20Delivered%20by%20Malicious%20Python%20Script/31686 The Danger of IP Volatility Accounting for IP addresses is important, and if not done properly, may lead to resources being exposed after IP addresses are released. https://isc.sans.edu/diary/The%20Danger%20of%20IP%20Volatility/31688 PostgreSQL SQL Injection Functions in PostgreSQL's libpq do not properly escape parameters which may lead to SQL injection issues if the functions are used to create input for pqsql. https://www.postgresql.org/support/security/CVE-2025-1094/ Multiple Russian Threat Actors Targeting Microsoft Device Code Auth The OAUTH device code flow is used to attach devices with limited input capability to a user's account. However, this can be abused via phishing attacks. https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ keywords: oauth; postgresql; ip; volatility; bsod

SANS Stormcast Feb 14th 2025: DShield Honeypot SIEM; PAN OS Auth Bypass; Salt Typhone vs. Cisco; Crowdstrike Patch DShield SIEM Docker Updates Interested in learning more about the attacks hitting your honeypot? Guy assembled a neat SIEM to create dashboards summarizing the attacks. https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/31680 PANOS Path Confusion Auth Bypass Palo Alto Networks fixed a path confusion vulnerability introduced by the overly complex midle box chain in PANOS. https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/ https://www.theregister.com/2025/02/13/palo_alto_firewall/ China's Volt Typhoon Continues to use Cisco Vulns Recorded Future wrote up some recent attacks of the Red Mike / Volt Typhoon groups going after telecom providers by compromissing Cisco systems via an older vulnerabilty https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/ Crowdstrike Patches Linux Client https://www.crowdstrike.com/security-advisories/cve-2025-1146/ keywords: crowdstrike; falcon; china; volt typhoon; redmike; cisco; panos; nginx; apache; php; dshield; siem;

SANS Stormcast Feb 13th 2025: Smart City Threats; Advanced Social Engineering Attacks; Wazuh Vulnerability; PAM Vulnerability; Ivanti Patches An Ontology for Threats: Cybercrime and Digital Forensic Investigation on Smart City Infrastructure Smart cities is a big topic for many local governments. With building these complex systems, attacks will follow. https://isc.sans.edu/diary/An%20ontology%20for%20threats%2C%20cybercrime%20and%20digital%20forensic%20investigation%20on%20Smart%20City%20Infrastructure/31676 North Korean state actor tricking admins into executing PowerShell North Korean state actors are spending quite a bit of effort setting up relationships with South Korean system administrators, culminating in them getting tricked into executing malicious PowerShell scripts. https://x.com/MsftSecIntel/status/1889407814604296490 Wazuh Vulnerability A deserialization vulnerability in Wazuh may lead to an unauthenticated remote code execution vulnerability https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh PAM PKCS11 Vulnerablity Several vulnerabilities in the Linux PAM module processing smart card authentication can be used to bypass authentication https://github.com/OpenSC/pam_pkcs11/releases/tag/pam_pkcs11-0.6.13 Ivanti Patches Ivanti released its monhtly update, fixing a number of critical vulnerabilities in Connect Secure and other prodcuts https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US keywords: ivanti; pam; pkcs11; linux; wazuh; korea; powershell; ontology; smart city

SANS Stormcast Feb 12th 2025: MSFT Patch Tuesday; Adobe Patches; FortiNet Acknowledges Exploitation of FortiOS Microsoft Patch Tuesday Microsoft released patches for 55 vulnerabilities. Three of them are actagorized as critical, two are already exploited and another two have been publicly disclosed. The LDAP server vulnerability could become a huge deal, but it is not clear if an exploit will appear. https://isc.sans.edu/diary/Microsoft%20February%202025%20Patch%20Tuesday/31674 Adobe Patches Adobe released patches for seven products. Watch out in particular for the Adobe Commerce issues https://helpx.adobe.com/security/security-bulletin.html Fortinet Acknowledges Exploitation of Vulnerability https://fortiguard.fortinet.com/psirt/FG-IR-24-535 keywords: fortinet; adobe; microsoft;

SANS Stormcast Feb 11th 2025: 7zip and MoW; Apple 0-Day Fix; AMD Microcode Overwrite; Trimble CityWorks 0-Day; MageCart Update Reminder: 7-Zip MoW The MoW must be added to any files extracted from ZIP or other compound file formats. 7-Zip does not do so by default unless you alter the default configuration. https://isc.sans.edu/diary/Reminder%3A%207-Zip%20%26%20MoW/31668 Apple Fixes 0-Day Apple released updates to iOS and iPadOS fixing a bypass for USB Restricted Mode. The vulnerability is already being exploited. https://support.apple.com/en-us/122174 AMD ZEN CPU Microcode Update An attacker is able to replace microcode on some AMD CPUs. This may alter how the CPUs function and Google released a PoC showing how it can be used to manipulate the random number generator. https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w Trimble Cityworks Exploited CISA added a recent Trimble Cityworks vulnerabliity to its list of exploited vulnerabilities. https://learn.assetlifecycle.trimble.com/i/1532182-cityworks-customer-communication-2025-02-06-docx/0? Google Tag Manager Skimmer Steals Credit Card Info Sucuri released a blog post with updates to the mage cart campaign. The latest version is injecting malicious code as part of the google tag manager / analytics code. https://blog.sucuri.net/2025/02/google-tag-manager-skimmer-steals-credit-card-info-from-magento-site.html keywords: google; sucuri; amd; trimble; cityworks; tag manager;

SANS Internet Stormcast Feb 10th 2025: Podcast Anniversary; SSL 2.0; Exposed Deepseek Installs; Crypto Scam costs SSL 2.0 Turns 30 This Sunday SSL was created in February 1995. However, back in 2005, only a year later, SSL 3.0 was released, and as of 2011, SSL 2.0 was deprecated, and support was removed from many crypto libraries. However, over 400k hosts are still exposed via SSL 2.0. https://isc.sans.edu/diary/SSL%202.0%20turns%2030%20this%20Sunday...%20Perhaps%20the%20time%20has%20come%20to%20let%20it%20die%3F/31664 Deepseek News Many articles cover various security shortcomings in the Chinese Deepseek AI model. Remember that some of these issues are not unique to Deepseek. https://www.upguard.com/blog/deepseek-adoption https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/ Crypto Wallet Scam Not For Free Didier looked closer at the recent dual signature crypto scams. These wallets are not free; attackers must spend money to set them up. https://isc.sans.edu/diary/Crypto+Wallet+Scam+Not+For+Free/31666 keywords: crypto; deepseek; ssl; anniversary

SANS Internet Stormcast Feb 7th 2025: Unbreakable Anti-Debugging; The Unbreakable Multi-Layer Anti-Debugging System Xavier found a nice Python script that included what it calls the "Unbreakable Multi-Layer Anti-Debugging System". Leave it up to Xavier to tear it appart for you. https://isc.sans.edu/diary/The%20Unbreakable%20Multi-Layer%20Anti-Debugging%20System/31658 Take my money: OCR crypto stealers in Google Play and App Store Malware using OCR on screen shots was available not just via Google Play, but also the Apple App Store. https://securelist.com/sparkcat-stealer-in-app-store-and-google-play-2/115385/ Threat Actors Still Leveraging Legit RMM Tool ScreenConnect Unsurprisingly, threat actors still like to use legit remote admin tools, like ScreenConnect, as a command and control channel. Silent Push outlines the latest trends and IoCs they found https://www.silentpush.com/blog/screenconnect/ Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities Java deserializing strikes again to allow arbitrary code execution. Cisco fixed this vulnerability and a authorization bypass issue in its Identity Services Engine https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF F5 Update F5 fixes an interesting authentication bypass problem affecting TLS client certificates https://my.f5.com/manage/s/article/K000149173 keywords: f5, java, cisco, ise; ios; android; screenshots; screenconnect; python; anti-debugging

SANS Internet Stormcast Feb 6th 2025: com- prefix domain phishing; Win 10 ESU pricing; Firewall CT Policy; Veeam and Netgear patches Phishing via com- prefix domains Every day, attackers are registering a few hunder domain names starting with com-. These are used in phishing e-mails, like for example "toll fee scams", to create more convincing phishing links. https://isc.sans.edu/diary/Phishing%20via%20%22com-%22%20prefix%20domains/31654 Microsoft Windows 10 Extended Security Updates Microsoft released pricing and additional details for the Windows 10 extended security updates. For the first year after official free updates stopped, security updates will be available for $61 for the first year. https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates Mozilla Enforcing Certificate Transparency Mozilla is following the lead from other browsers, and will require certificates to include a certificate signature timestamp as proof of compliance with certificate transparency requirements. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/OagRKpVirsA/m/Q4c89XG-EAAJ https://wiki.mozilla.org/SecurityEngineering/Certificate_Transparency#Enterprise_Policies Veeam Update Veeam's internal backup process may be used to execute arbitrary code by an attacker with a machine in the middle position. https://www.veeam.com/kb4712 Netgear Unauthenticated RCE https://kb.netgear.com/000066558/Security-Advisory-for-Unauthenticated-RCE-on-Some-WiFi-Routers-PSV-2023-0039 keywords: netgear; veeam; firefox; certificate transparency; ct; microsoft; windows 10; ESU; updates; phishing; sunpass;

SANS ISC Stormcast Feb 5ht 2025: Feed Updates and Rosti; Resurrecting Dead S3 Buckets; Let's Encrypt Changes; Edge Device Security Some Updates to Our Data Feeds We made some updates to the documentation for our data feeds, and added the neat Rosti Feed to our list as well as to our ipinfo page. https://isc.sans.edu/diary/Some%20updates%20to%20our%20data%20feeds/31650 8 Million Request Later We Meade the Solarwindws Supply Chain Attack Look Amateur While the title is a bit of watchTowr hyperbole, the problem of resurrecting dead S3 buckets back to live is real and needs to be addressed. Boring solutions will help not becoming an exciting headline. https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/ Let's Encrypt Ending Expiration Emails Let's Encrypt will no longer send emails for expiring certificates. They suggest other free services to send these emails for you https://letsencrypt.org/2025/01/22/ending-expiration-emails/ Guidance and Strategies Protect Network Edge Edvices CISA and other agencies created a guidance document outlining how to protect edge devices like firewalls, vpn concentrators and other similar devices. https://www.cisa.gov/resources-tools/resources/guidance-and-strategies-protect-network-edge-devices keywords: cisa; edge; devices; guidance; letsencrypt; email; s3; bucket; feeds; documentation; data

SANS ISC Stormcast Feb 4th 2025: Crypto Scam; Mediatek and D-Link Patches; Microsoft ends VPN Service Crypto Wallet Scam YouTube spam messages leak private keys to crypto wallets. However, these keys can not be used to withdraw funds. Victims are scammed into depositing "gas fees" which are then collected by the scammer. https://isc.sans.edu/diary/Crypto%20Wallet%20Scam/31646 Mediatek Patches Mediatek patched numerous vulnerabilities in its WLAN products. Some allow for unauthenticated arbitrary code execution https://corp.mediatek.com/product-security-bulletin/February-2025 D-Link Vulnerability D-Link disclosed a vulnerability in older routers that as of May no longer receive any updates. Your only option is to upgrade hardare. https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10415 Microsoft Discontinues VPN Service Microsoft is shutting down the VPN service that was included as part of Microsoft Defender https://support.microsoft.com/en-au/topic/end-of-support-privacy-protection-vpn-in-microsoft-defender-for-individuals-8b503da5-732a-4472-833a-e2ddca53036a keywords: microsoft, dlink, mediatek, okx, crypto, scam

SANS ISC Stormcast Feb 3rd 2025: Automating Cyber Ranges; Deepseek Scams; PyPi Archived State; Medical Backdoors To Simulate or Replicate: Crafting Cyber Ranges Automating the creation of cyber ranges. This will be a multi part series and this part covers creating the DNS configuration in Windows https://isc.sans.edu/diary/To%20Simulate%20or%20Replicate%3A%20Crafting%20Cyber%20Ranges/31642 Scammers Exploiting Deepseek Hype Scammers are using the hype around Deepseek, and some of the confusion caused by it's site not being reachable, to scam users into installing malware. I am also including a link to a "jailbreak" of Deepseek (this part was not covered in the podcast). https://www.welivesecurity.com/en/cybersecurity/scammers-exploiting-deepseek-hype/ https://lab.wallarm.com/jailbreaking-generative-ai/ PyPi Archived Status PyPi introduced a new feature to mark repositories as archived. This implies that the author is no longer maintaining the particular package https://blog.pypi.org/posts/2025-01-30-archival/ ICS Mecial Advisory: Comtec Patient Monitor Backdoor And interested backdoor was found in a Comtech Patient Monitor. https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01 keywords: comtech; medical; backdoor; pypi; deepseek; dns; cyber range

SANS ISC Stormcast Jan 31st 2025: Old Netgear Vuln in Depth; Lightning AI RCE; Canon Printer RCE; Deepseek Leak; PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary] https://isc.sans.edu/diary/PCAPs%20or%20It%20Didn%27t%20Happen%3A%20Exposing%20an%20Old%20Netgear%20Vulnerability%20Still%20Active%20in%202025%20%5BGuest%20Diary%5D/31638 RCE Vulnerablity in AI Development Platform Lightning AI Noma Security discovered a neat remote code execution vulnerability in Lightning AI. This vulnerability is exploitable by tricking a logged in user into clicking a simple link. https://noma.security/noma-research-discovers-rce-vulnerability-in-ai-development-platform-lightning-ai/ Canon Laser Printers and Small Office Multifunctional Printer Vulnerabilities Canon fixed three different vulnerablities affecting various laser and small office multifunctional printers. These vulnerabilities may lead to remote code execution, and there are some interesting exploit opportunities https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers Deepseek ClickHouse Database Leak https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak keywords: deepseek; clickhouse; canon; ai; lightning; netgear

SANS ISC Stormcast, Jan 30th 2025: Python vs. Powershell; Fortinet Exploits and Patch Policy; Voyager PHP Framework Vuln; Zyxel Targeted; VMWare AVI Patch From PowerShell to a Python Obfuscation Race! This information stealer not only emulates a PDF document convincingly, but also includes its own Python environment for Windows https://isc.sans.edu/diary/From%20PowerShell%20to%20a%20Python%20Obfuscation%20Race!/31634 Alleged Active Exploit Sale of CVE-2024-55591 on Fortinet Devices An exploit for this week's Fortinet vulnerability is for sale on russian forums. Fortinet also requires patching of devices without cloud license within seven days of patch release https://x.com/MonThreat/status/1884577840185643345 https://community.fortinet.com/t5/Support-Forum/Firmware-upgrade-policy/td-p/373376 The Tainted Voyage: Uncovering Voyager's Vulnerabilities Sonarcube identified vulnerabilities in the popular PHP package Voyager. One of them allows arbitrary file uploads. https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/ Hackers exploit critical unpatched flaw in Zyxel CPE devices A currently unpatches vulnerablity in Zyxel devices is actively exploited. https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-unpatched-flaw-in-zyxel-cpe-devices/ VMSA-2025-0002: VMware Avi Load Balancer addresses an unauthenticated blind SQL Injection vulnerability (CVE-2025-22217) VMWare released a patch for the AVI Load Balancer addressing an unauthenticated blink SQL injection vulnerability. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346 keywords: vmware; avi load balancer; sql injection; voyager; laravel; php; zyxel; fortinet; python; powershell; garmin

SANS ISC Stormcast, Jan 29th 2025: Python Crypto Stealer; SimpleHelp Exploited; Apple Silicon Vuln; Teamviewer Vuln; Odd QR Code Learn about fileless crypto stealers written in Python, the ongoing exploitation of recent SimpleHelp vulnerablities, new Apple Silicon Sidechannel attacks a Team Viewer Vulnerablity and an odd QR Code Fileless Python InfoStealer Targeting Exodus This Python script targets Exodus crypto wallet and password managers to steal crypto currencies. It does not save exfiltrated data in files, but keeps it in memory for exfiltration https://isc.sans.edu/diary/Fileless%20Python%20InfoStealer%20Targeting%20Exodus/31630 Campaign Exploiting SimpleHelp Vulnerablity Arcticwolf observed attacks exploiting SimpleHelp for initial access to networks. It has not been verified, but is assumed that vulnerabilities made public about a week ago are being exploited. https://arcticwolf.com/resources/blog-uk/arctic-wolf-observes-campaign-exploiting-simplehelp-rmm-software-initial-access/ Two new Side Channel Vulnerabilities in Apple Silicon SLAP (Data Speculation Attacks via Load Address Prediction): This attack exploits the Load Address Predictor in Apple CPUs starting with the M2/A15, allowing unauthorized access to sensitive data by mispredicting memory addresses. FLOP (Breaking the Apple M3 CPU via False Load Output Predictions): This attack targets the Load Value Predictor in Apple's M3/A17 CPUs, enabling attackers to execute arbitrary computations on incorrect data, potentially leaking sensitive information. https://predictors.fail/ Teamviewer Security Bulletin Teamviewer patched a privilege escalation vulnerability CVE-2025-0065 https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv-2025-1001/ Odd QR Code A QR code may resolve to a different URL if looked at at an angle. https://mstdn.social/@isziaui/113874436953157913 Limited Discount for SANS Baltimore https://sans.org/u/1zQd keywords: qr code; teamviewer; apple silicon; sidechannel; python; exodus;

SANS ISC Stormcast, Jan 28th 2025: Z-Shy Phishing; Apple Patches 0-Day; Fortinet Exploit Details; Github and Apache Solr Patches This episode shows how attackers are bypassing phishing filter by abusing the "shy" softhyphen HTML entitiy. We got an update from Apple fixing a 0-day vulnerability in addition to a number of other issues. watchTowr show how to exploit an interesting FortiOS vulnerability and we have patches for Github Desktop and Apache Solr An unusal shy z-wasp phish https://isc.sans.edu/diary/An%20unusual%20%22shy%20z-wasp%22%20phishing/31626 How the soft hyphen "shy" HTML entity can be abused to bypass e-mail filters Apple Patches https://support.apple.com/en-us/100100 Apple released patches for all of its operating systems, fixing a 0-day vulnerability among many others issues Get Fortirekt I am the Super_admin now https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admin-now-fortios-authentication-bypass-cve-2024-55591/ Details about a recent FortiOS Vulnerability GitHub Desktop Vulnerability https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html Apache Solr Vulnerability https://solr.apache.org/security.html#cve-2024-52012-apache-solr-configset-upload-on-windows-allows-arbitrary-path-write-access keywords: solr; github; desktop; fortinet; fortios; apple; shy; html; z-wasp

SANS ISC Stormcast, Jan 27, 2025: Access Brokers; Llama Stack Vuln; ESXi SSH Tunnels; Zyxel Boot Loops; Subary StarLeak Guest Diary: How Access Brokers Maintain Persistence Explore how cybercriminals utilize access brokers to persist within networks and the impact this has on organizational security. https://isc.sans.edu/forums/diary/Guest+Diary+How+Access+Brokers+Maintain+Persistence/31600/ Critical Vulnerability in Meta's Llama Stack (CVE-2024-50050) A deep dive into CVE-2024-50050, a critical vulnerability affecting Meta's Llama Stack, with exploitation details and mitigation strategies. https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack ESXi Ransomware and SSH Tunneling Defense Strategies Learn how to fortify your infrastructure against ransomware targeting ESXi environments, focusing on SSH tunneling and proactive measures. https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/ Zyxel USG FLEX/ATP Series Application Signature Recovery Steps Addressing issues with Zyxel's USG FLEX/ATP Series application signatures as of January 24, 2025, with a detailed recovery guide. https://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th-2025 Subaru Starlink Vulnerability Exposed Cars to Remote Hacking Discussing how a vulnerability in Subaru's Starlink system left vehicles susceptible to remote exploitation and the steps taken to resolve it. https://www.securityweek.com/subaru-starlink-vulnerability-exposed-cars-to-remote-hacking/ keywords: subaru; starlink; zyxel; usg flex; atp; esci; meta; llama; access broker

SANS ISC Stormcast, Jan 24, 2025: XSS in Email, SonicWall Exploited; Cisco Vulnerablities; AI and SOAR (@sans_edu research paper by Anthony Russo) In today's episode, learn how an attacker attempted to exploit webmail XSS vulnerablities against us. Sonicwall released a critical patch fixing an already exploited vulnerability in its SMA 1000 appliance. Cisco fixed vulnerabilities in ClamAV and its Meeting Manager REST API. Learn from SANS.edu student Anthony Russo how to take advantage of AI for SOAR. XSS Attempts via E-Mail https://isc.sans.edu/diary/XSS%20Attempts%20via%20E-Mail/31620 An analysis of a recent surge in email-based XSS attack attempts targeting users and organizations. Learn the implications and mitigation techniques. SonicWall PSIRT Advisory: CVE-2025-23006 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 CVE-2025-23006 Details of a critical vulnerability in SonicWall appliances (SNWLID-2025-0002) and what you need to do to secure your systems. Cisco ClamAV Advisory: OLE2 Parsing Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA A DoS vulnerability in the popular open source anti virus engine ClamAV Cisco CMM Privilege Escalation Vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc A patch of a privilege escalation flaw in Cisco's CMM module. keywords: cisco; cmm; clamav; ole2; sonicwall; sma 1000; xss; email; webmail

SANS ISC Stormcast, Jan 23, 2025: PFSync Protocol; Oracle CPU; Korean VPN Supply Chain Attack; Ivanti Guidance In today's episode, we start by talking about the PFSYNC protocol used to synchronize firewall states to support failover. Oracle released it's quarterly critical patch update. ESET is reporting about a critical VPN supply chain attack and CISA released guidance for victims of recent Ivanti related attacks. Catching CARP: Fishing for Firewall States in PFSync Traffic https://isc.sans.edu/diary/Catching%20CARP%3A%20Fishing%20for%20Firewall%20Stat%20es%20in%20PFSync%20Traffic/31616)** Discover how attackers exploit PFSync traffic to manipulate firewall states. This deep dive explores vulnerabilities and mitigation strategies in network defense. Oracle Critical Patch Update – January 2025 https://www.oracle.com/security-alerts/cpujan2025.html)** Oracle's January 2025 patch release addresses numerous critical vulnerabilities across their product suite. Learn about key updates and how to secure your systems. PlushDaemon: Compromising the Supply Chain of a Korean VPN Service https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/ ESET Research uncovers PlushDaemon, a sophisticated supply chain attack targeting a Korean VPN provider. Understand the implications for supply chain security. CISA Cybersecurity Advisory: AA25-022A https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a The latest advisory highlights active threats and mitigation strategies for critical infrastructure. Stay ahead with CISA's guidance on emerging cyber risks. keywords: cisa; ivanti; vpn; korea; oracle; carp; pfsync

SANS ISC Stormcast, Jan 22, 2025: Geolocation via Starlink and Cloudflare; AI Prompt Risks; Homebrew Phishing This episodes covers how Starlink users can be geolocated and how Cloudflare may help deanonymize users. The increased use of AI helpers leads to leaking data via careless prompts. Geolocation and Starlink https://isc.sans.edu/diary/Geolocation%20and%20Starlink/31612 Discover the potential geolocation risks associated with Starlink and how they might be exploited. This diary entry dives into new concerns for satellite internet users. Deanonymizing Users via Cloudflare https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 Deanonymizing users by identifying which cloudflare server cashed particular content Sage's AI Assistant and Customer Data Concerns https://www.theregister.com/2025/01/20/sage_copilot_data_issue/ Examine how a Sage AI tool inadvertently exposed sensitive customer data, raising questions about AI governance and trust in business applications. The Threat of Sensitive Data in Generative AI Prompts https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts Analyze how employees' careless prompts to generative AI tools can lead to sensitive data breaches and the importance of awareness training. Homebrew Phishing https://x.com/ryanchenkie/status/1880730173634699393 keywords: phishing; homebrew; ai; prompts; leakage; gelocation; starlink; cloudflare

SANS ISC Stormcast, Jan 21, 2025: Downloading Partial ZIP files; Remote Tools Used in Attakcs; Azure DevOps SSRF In this episode, we talk about downloading and analyzing partial ZIP files, how legitimate remote access tools are used in recent compromises and how a research found an SSRF vulnerability in Azure DevOps Partial ZIP File Downloads A closer look at how attackers are leveraging partial ZIP file downloads to bypass file verification systems and plant malicious content. https://isc.sans.edu/diary/Partial%20ZIP%20File%20Downloads/31608 Ukrainian CERT Advisory on AnyDesk Threat The Ukrainian CERT provides detailed guidance on identifying and mitigating recent cyber threats exploiting AnyDesk for unauthorized access. https://cert.gov.ua/article/6282069 Finding SSRFs in Azure DevOps An in-depth analysis of how server-side request forgery (SSRF) vulnerabilities are discovered and exploited in Azure DevOps pipelines. https://binarysecurity.no/posts/2025/01/finding-ssrfs-in-devops keywords: devops; azure; ssrf; ukraine; cert; anydesk; zip

SANS ISC Stormcast, Jan 20, 2025: Honeypots for Offense; SimpleHelp and UEFI Secure Boot Vulnerabilities In this episode, we cover how to use honeypot data to keep your offensive infrastructure alive longer, three critical vulnerabilities in SimpleHelp that must be patched now, and an interesting vulnerability affecting many systems allowing UEFI Secure Boot bypass. Leveraging Honeypot Data for Offensive Security Operations [Guest Diary] A recent guest diary on the SANS Internet Storm Center discusses how offensive security professionals can utilize honeypot data to enhance their operations. The diary highlights the detection of scans from multiple IP addresses, emphasizing the importance of monitoring non-standard user-agent strings in web requests. https://isc.sans.edu/diary/Leveraging%20Honeypot%20Data%20for%20Offensive%20Security%20Operations%20%5BGuest%20Diary%5D/31596 Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier SimpleHelp has released version 5.5.8 to address critical security vulnerabilities present in versions 5.5.7 and earlier. Users are strongly advised to upgrade to the latest version to prevent potential exploits. Detailed information and upgrade instructions are available on SimpleHelp's official website. https://simple-help.com/kb---security-vulnerabilities-01-2025#send-us-your-questions Under the Cloak of UEFI Secure Boot: Introducing CVE-2024-7344 ESET researchers have identified a new vulnerability, CVE-2024-7344, that allows attackers to bypass UEFI Secure Boot on most UEFI-based systems. This flaw enables the execution of untrusted code during system boot, potentially leading to the deployment of malicious UEFI bootkits. Affected users should apply available patches to mitigate this risk. https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/ keywords: uefi; simplehelp; honeypots

SANS ISC Stormcast, Jan 17, 2025: Analyzing Complex Datasets, Citrix Update Issues, Ivanti's Security Advisory, and the Future of Passkeys (@sans_edu) In this episode, we explore the efficient storage of honeypot logs in databases, issues with Citrix's Session Recording Agent and Windows Update. Ivanti is having another interesting security event and our SANS.edu graduate student Rich Green talks about his research on Passkeys. Extracting Practical Observations from Impractical Datasets: A SANS Internet Storm Center diary entry discusses strategies for analyzing complex datasets to derive actionable insights. https://isc.sans.edu/diary/Extracting%20Practical%20Observations%20from%20Impractical%20Datasets/31582 Citrix Session Recording Agent Update Issue: Citrix reports that Microsoft's January security update fails or reverts on machines with the 2411 Session Recording Agent installed, providing guidance on addressing this issue. https://support.citrix.com/s/article/CTX692505-microsofts-january-security-update-failsreverts-on-a-machine-with-2411-session-recording-agent?language=en_US Ivanti Endpoint Manager Security Advisory: Ivanti releases a security advisory for Endpoint Manager versions 2024 and 2022 SU6, detailing vulnerabilities and recommended actions. https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords: A SANS.edu research paper explores the shift from traditional passwords to passkeys, highlighting the benefits and challenges of adopting passwordless authentication methods. https://www.sans.edu/cyber-research/revolutionizing-enterprise-security-exciting-future-passkeys-beyond-passwords/ keywords: passkeys; citrix; ivanti; honeypot

SANS ISC Stormcast, Jan 16, 2025: Critical Vulnerabilities and Cybersecurity Updates You Need to Know Today's episode covers an odd 12 year old Netgear vulnerability that only received a proper CVE number last year. Learn about how to properly identify OpenID connect users and avoid domain name resue. Good old rsync turns out to be in need of patching and Fortinet: Not sure if it needs patching. Probably it does. Go ahead and patch it. The Curious Case of a 12-Year-Old Netgear Router Vulnerability Outdated Netgear routers remain a security risk, with attackers actively exploiting a 2013 vulnerability to deploy crypto miners. Learn how to protect your network by updating or replacing legacy hardware. URL: https://isc.sans.edu/diary/The%20Curious%20Case%20of%20a%2012-Year-Old%20Netgear%20Router%20Vulnerability/31592 Millions at Risk Due to Google's OAuth Flaw A flaw in Google's OAuth implementation enables attackers to exploit defunct domain accounts, exposing sensitive data. Tips on implementing MFA and domain monitoring to reduce risks. URL: https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw Rsync 3.4.0 Security Release The latest rsync update fixes critical vulnerabilities, including buffer overflows and symbolic link issues. Upgrade immediately to protect your file synchronization processes. URL: https://download.samba.org/pub/rsync/NEWS#3.4.0 Fortinet PSIRT Advisories: Stay Secure Fortinet's latest advisories address vulnerabilities in FortiOS, FortiProxy, and more. Review and apply patches promptly to secure your perimeter defenses. URL: https://www.fortiguard.com/psirt keywords: fortinet; rsync; google; oauth; openid connect; netgear;

SANS ISC Stormcast, Jan 14 2025: Microsoft Patch Tuesday, FortiOS and FortiProxy Patches; Paessler PRTG Patches Today, Microsoft Patch Tuesday headlines our news with Microsoft patching 209 vulnerabilities, some of which have already been exploited. Fortinet suspects a so far unpatched Node.js authentication bypass to be behind some recent exploits of FortiOS and FortiProxy devices. Microsoft January 2025 Patch Tuesday This month's Microsoft patch update addresses a total of 209 vulnerabilities, including 12 classified as critical. Among these, 3 vulnerabilities have been actively exploited in the wild, and 5 have been disclosed prior to the patch release, marking them as zero-days. https://isc.sans.edu/diary/rss/31590 Fortinet Security Advisory FG-IR-24-535 CVE-2024-55591 An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. https://fortiguard.fortinet.com/psirt/FG-IR-24-535 PRTG Network Monitor Update: Update for an already exploited XSS vulnerability in Paesler PRTG Network Monitor CVE-2024-12833 https://www.paessler.com/prtg/history/stable keywords: prtg; fortinet; network monitor; paessler; access; microsoft; patches

SANS ISC Stormcast, Jan 14, 2025: Brute-Forcing Hikvision Devices, macOS SIP Bypass, Linux Rootkits, Aviatrix Exploits, and AWS Ransomware Tactics Episode Summary: This episode covers brute-force attacks on the password reset functionality of Hikvision devices, a macOS SIP bypass vulnerability, Linux rootkit malware, and a novel ransomware campaign targeting AWS S3 buckets. Topics Covered: Hikvision Password Reset Brute Forcing URL: https://isc.sans.edu/diary/Hikvision%20Password%20Reset%20Brute%20Forcing/31586 Hikvision devices are being targeted using old brute-force attacks exploiting predictable password reset codes. Analyzing CVE-2024-44243: A macOS System Integrity Protection Bypass URL: https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/ Microsoft details a macOS vulnerability allowing attackers to bypass SIP using kernel extensions. Rootkit Malware Controls Linux Systems Remotely URL: https://cybersecuritynews.com/rootkit-malware-controls-linux-systems-remotely/ A sophisticated rootkit targeting Linux systems uses zero-day vulnerabilities for remote control. Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C URL: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c Attackers are using AWS's SSE-C encryption to lock S3 buckets during ransomware campaigns. We cover how the attack works and how to protect your AWS environment. keywords: aws; sse-c; rootkit; malware; linux; macos; sip; hikvision; password reset

SANS ISC Stormcast, Jan 13, 2025: Defender Updates, Ivanti RCE, Apple USB-C Hack and more In today's episode, we cover the latest updates in cybersecurity: Windows Defender Enhances Chrome Extension Detection Microsoft's Defender now catalogs Chrome extensions to identify malicious ones. Learn how this improves enterprise security. https://isc.sans.edu/diary/Windows%20Defender%20Chrome%20Extension%20Detection/31574 Multi-OLE Analysis in Malicious Documents A look at how attackers embed OLE files in Office documents to evade detection and the tools to combat it. https://isc.sans.edu/diary/Multi-OLE/31580 Ivanti Connect Secure RCE Vulnerability (CVE-2025-0282) Details of a critical vulnerability affecting Ivanti products and the patching timelines. https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/ Apple USB-C Controller Compromised Researchers hacked Apple's ACE3 USB-C controller, highlighting hardware security challenges. https://cybersecuritynews.com/apples-new-usb-c-controller-hacked/ IRS Pushes for IP PIN Enrollment Protect yourself from tax-related identity theft by securing your IP PIN for the 2025 tax season. https://www.irs.gov/newsroom/irs-encourages-all-taxpayers-to-sign-up-for-an-ip-pin-for-the-2025-tax-season keywords: irs; ip; pin; apple; usb-c; ivanty; rce; ole; ooxml; extensions; chrome; defender

Cryptomining Malware, Fake PoC Exploit, Malicious Browser Extensions, and Palo Alto Vulnerabilities In this episode, we explore the following stories: "Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics" Overview of Redtail's multi-architecture cryptomining malware exploiting vulnerabilities and deploying persistence techniques. URL: Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics "Information Stealer Masquerades as LDAPNightmare PoC Exploit" A malware disguised as a PoC exploit targets users seeking to test vulnerabilities like LDAPNightmare. URL: Information Stealer Masquerades as LDAPNightmare PoC Exploit "How Extensions Trick CWS Search" Research reveals how malicious browser extensions manipulate Chrome Web Store search to appear legitimate. URL: How Extensions Trick CWS Search "Palo Alto Networks' Expedition Vulnerabilities (PAN-SA-2025-0001)" Multiple vulnerabilities in the deprecated Expedition tool can expose credentials and lead to unauthorized file and command execution. URL: Palo Alto Networks' Expedition Vulnerabilities (PAN-SA-2025-0001) keywords: palo alto; chrome web store; extensions; chrome; google; fake exploits; ldap; cryptomining; redtail

SANS ISC Stormcast, Jan 9, 2025: Critical Vulnerabilities in Ivanti, Aviatrix, and Hijacked Backdoors in Compromised Systems In this episode, we discuss critical vulnerabilities in Ivanti Connect Secure and Policy Secure, command injection risks in Aviatrix Network Controllers, and the risks posed by hijacked abandoned backdoors. Episode Links and Topics: More Governments Backdoors in Your Backdoors https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/ Researchers reveal how expired domains linked to abandoned backdoors can be hijacked, exposing systems to further compromise. Security Update: Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways Ivanti addresses critical vulnerabilities (CVE-2025-0282, CVE-2025-0283) in their secure gateway products, with active exploitation in the wild. CVE-2024-50603: Aviatrix Network Controller Command Injection Vulnerability https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/ A command injection vulnerability in Aviatrix Network Controllers allows unauthenticated code execution, posing severe risks to network environments. keywords: aviatrix; ivanti; backdoors; domains; dumpster diving;

SANS ISC Stormcast, Jan 8, 2025: Critical Vulnerabilities in SonicWall, Moxa, and Windows BitLocker – Plus, Malware Targets PHP Servers and the Launch of U.S. Cyber Trust Mark In this episode, we dive into active exploitation of a zero-day in SonicWall SSL-VPN, privilege escalation vulnerabilities in Moxa devices, and a BitLocker bypass in Windows 11. We also cover cryptocurrency mining malware hitting PHP servers and the White House's launch of the U.S. Cyber Trust Mark to secure connected devices. Episode Links and Topics: PacketCrypt Classic Cryptocurrency Miner on PHP Servers https://isc.sans.edu/diary/PacketCrypt%20Classic%20Cryptocurrency%20Miner%20on%20PHP%20Servers/31564 Malware exploiting PHP servers to mine PacketCrypt Classic cryptocurrency. SonicOS Affected By Multiple Vulnerabilities https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 A zero-day vulnerability in SonicWall SSL-VPN devices is under active attack. Privilege Escalation and OS Command Injection Vulnerabilities in Moxa Devices https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo Critical vulnerabilities in Moxa routers and security appliances allow privilege escalation and OS command injection. White House Launches U.S. Cyber Trust Mark https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/ A new cybersecurity labeling program for connected devices aims to help consumers choose secure products. Windows BitLocker: Screwed without a Screwdriver https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver#t=761 (video in English) A two-year-old vulnerability in Windows 11 allows bypassing BitLocker encryption. keywords: bitlocker; windows; cyber trust mark; moxa; sonicos; packetcrypt; php

SANS ISC Stormcast Jan 7th 2025: Make Malware Happy and Critical Vulnerabilities in OpenSSH, BeyondTrust, and Nuclei In this episode of the SANS Internet Storm Center's Stormcast, we cover critical vulnerabilities affecting OpenSSH, BeyondTrust, and Nuclei, including the newly discovered "RegreSSHion" flaw and a bypass vulnerability in Nuclei. We also discuss how malware evasion techniques can impact analysis environments and highlight the dangers of fake exploits targeting researchers. Tune in for insights on patching, mitigation strategies, and staying ahead of emerging threats. Topics Covered: Make Malware Happy https://isc.sans.edu/diary/Make%20Malware%20Happy/31560 A look at how malware adapts and detects analysis environments, and why replicating operational settings is critical during malware analysis. Nuclei Signature Verification Bypass (CVE-2024-43405) https://www.wiz.io/blog/nuclei-signature-verification-bypass A critical vulnerability in Nuclei allows malicious templates to bypass signature verification, risking arbitrary code execution. Critical Vulnerability in BeyondTrust (CVE-2024-12356) https://censys.com/cve-2024-12356/ A high-risk flaw in BeyondTrust products allows unauthenticated OS command execution, posing a significant threat to privileged access systems. RegreSSHion Code Execution Vulnerability (CVE-2024-6387) https://cybersecuritynews.com/regresshion-code-execution-vulnerability/ OpenSSH vulnerability "RegreSSHion" enables remote code execution, and fake exploits targeting security researchers are in circulation. keywords: openssh, regresshion, beyondtrust, nuclei, malware, evasion, rce

PPUnit and Androxgh0st; Session Smart Router Attack; FortiWLM Patch; BadBox Update; Beyond Trust Advisory PHPUnit and Androxgh0st https://isc.sans.edu/diary/Command%20Injection%20Exploit%20For%20PHPUnit%20before%204.8.28%20and%205.x%20before%205.6.3%20%5BGuest%20Diary%5D/31528 Mirai Attacks Session Smart Routers https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US FortiWLM Unauthenticated limited file read vulnerability https://fortiguard.fortinet.com/psirt/FG-IR-23-144 https://securityonline.info/kaspersky-uncovers-active-exploitation-of-fortinet-vulnerability-cve-2023-48788/ Beyond Trust Security Advisory https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 BadBox Update https://www.bitsight.com/blog/badbox-botnet-back keywords: badbox; beyond trust; fortiwlm; fortinet; mirai; phpunit; androxgh0st

TeamTNT Deep Diver; Complex RDP Attacks; Okta Social Engineering; TP-Link Ban A Deep Dive into TeamTNT and Spinning YARN https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20A%20Deep%20Dive%20into%20TeamTNT%20and%20Spinning%20YARN/31530 Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html Okta Social Engineering Impersonation Report https://sec.okta.com/articles/2024/okta-social-engineering-report-response-and-recommendation US considers banning TP-Link routers over cybersecurity risks https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks/ CISA Releases Best Practice Guidance for Mobile Communications https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-releases-best-practice-guidance-mobile-communications keywords: cisa; mobile; tp-link; okta; koshchei; rdp; teamtnt; yarn;

Python Installs Anydesk; Vishing, Teams and Anydesk; SS7 Attacks; CrushFTP Vuln; Python Delivering AnyDesk Client as RAT https://isc.sans.edu/diary/Python+Delivering+AnyDesk+Client+as+RAT/31524/ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html SS7 Attacks https://www.404media.co/email/ac709882-1e4b-42fc-bcca-cf7ce4793716/ CrushFTP Vulnerability https://crushftp.com/crush11wiki/Wiki.jsp?page=Update keywords: crushftp; ss7; vishing; teams; python; anydesk;

MUT-1244 Targeting Offensive Actors; Golang SSH Issue; Meeten Malware MUT-1244 Targeting Offensive Actors https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/ Golang Crypto Vulnerability https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows https://www.cadosecurity.com/blog/meeten-malware-threat keywords: meeten; malware; voip; video conference; golang; crypto; mut-1244;

Struts 2 Exploited; Citrix Password Spraying; 6 Day Certs; Certified Pre-Pw0n3d Exploit Attempts Inspired by Recent Struts 2 File Upload Vulnerability https://isc.sans.edu/diary/Exploit%20attempts%20inspired%20by%20recent%20Struts2%20File%20Upload%20Vulnerability%20%28CVE-2024-53677%2C%20CVE-2023-50164%29/31520 Citrix Netscaler Password Spraying Mitigation https://www.citrix.com/blogs/2024/12/13/password-spraying-attacks-netscaler-december-2024/ Let's Encrypt Six Day Certifiates https://letsencrypt.org/2024/12/11/eoy-letter-2024/ Devices in Germany Arrived Pre-Pw0n3d https://cybersecuritynews.com/30000-devices-in-germany-discovered-with-pre-installed-malware-badbox/ keywords: germany; badbox; lets encrypt; citrix;

Windows 11 and TPM; Azure MFA Bypass; Struts 2 Vuln; Secret Blizzard vs Ukraine Windows 11 and TPM https://techcommunity.microsoft.com/blog/windows-itpro-blog/tpm-2-0-%E2%80%93-a-necessity-for-a-secure-and-future-proof-windows-11/4339066 https://www.forbes.com/sites/zakdoffman/2024/12/12/microsoft-warns-400-million-windows-users-do-not-update-your-pc/ Microsoft Azure MFA Bypass https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass Struts 2 Arbitrary File Upload CVE-2024-53677 https://cwiki.apache.org/confluence/display/WW/S2-067 Russian actor Secret Blizzard using tools of other groups to attack Ukraine https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/ keywords: secret blizzard; ukraine; struts; azure; mfa; windows 11; tpm

vSphere Scans; Apple Updates; Cleo Vuln; Vulnerability Symbiosis: vSphere's CVE-2024-38812 and CVE-2024-38813 https://isc.sans.edu/diary/Vulnerability%20Symbiosis%3A%20vSphere%3Fs%20CVE-2024-38812%20and%20CVE-2024-38813%20%5BGuest%20Diary%5D/31510 Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS) https://isc.sans.edu/diary/Apple+Updates+Everything+iOS+iPadOS+macOS+watchOS+tvOS+visionOS/31514/ Widespread exploitation of Cleo file transfer software (CVE-2024-50623) https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild https://labs.watchtowr.com/cleo-cve-2024-50623/ keywords: cleo; apple; vsphere; vmware

MSFT Patch Tuesday; Ivanti Vuln; Visual Studio Code Tunnels; Mitigating NTLM Relay Attacks Microsoft Patch Tuesday December 2024 https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20December%202024/31508 Ivanty Security Advisory https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Services-Application-CSA-CVE-2024-11639-CVE-2024-11772-CVE-2024-11773?language=en_US Visual Studio Code Tunnels https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/ Mitigating NTLM Relay Attacks https://msrc.microsoft.com/blog/2024/12/mitigating-ntlm-relay-attacks-by-default/ keywords: ntlm; ivanti; visual studio code; microsoft; patch; tuesday

CURLing DDoS; OpenWRT Vuln; Android Update; RCS Not Always Encrypted CURLing for Crypto on Honeypots https://isc.sans.edu/diary/CURLing%20for%20Crypto%20on%20Honeypots/31502 Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/ Android Monthly Update https://source.android.com/docs/security/bulletin/pixel/2024-12-01 RCS Not Always Encrypted https://daringfireball.net/linked/2024/12/04/shame-on-google-messages keywords: rcs; android; openwrt; curl; ddos; crypto

Version Cookies; URL File NTLM Leak; Ultralytics Miner; DaMAgeCard Bypassing WAFs with the Phantom Version Cookie https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie URL File NTLM Hash Disclosure https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html Ultralytics Library Infected with Miner https://github.com/ultralytics/ultralytics/issues/18027#issuecomment-2521578169 DaMAgeCard attack targets memory directly thru SD card reader https://swarm.ptsecurity.com/new-dog-old-tricks-damagecard-attack-targets-memory-directly-thru-sd-card-reader/ keywords: damagecard; ultralytics; miner; ntml; url file; waf; version; cookie

BEC Step by Step; Mital MiCollab PoC; Lorex Camera, HPE Aruba Vuln; Business E-Mail Compromise https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Business%20Email%20Compromise/31474 Where There's Smoke, There's Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/ https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029 Lorex 2K Indoor Wi-Fi Security Camera https://www.rapid7.com/globalassets/_pdfs/research/pwn2own-iot-2024-lorex-2k-indoor-wi-fi-security-camera-research.pdf https://www.lorex.com/products/2k-indoor-wi-fi-security-camera HPE Aruba Vulnerabilities https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04761en_us&docLocale=en_US Alan Paller Inducted into the Cybersecurity Hall of Fame https://cybersecurityhalloffame.org/ keywords: alan paller; lorex; hp; aruba; hpe; mitel; micollab; bec

Importance of Data Analysis; Stop using SMS; Identity IQ vuln; Solana web3.js Backdoor Data Analysis: The Unsung Hero of Cybersecurity Expertise https://isc.sans.edu/diary/Data%20Analysis%3A%20The%20Unsung%20Hero%20of%20Cybersecurity%20Expertise%20%5BGuest%20Diary%5D/31494 FBI Warns iPhone and Android Users Stop Sending Texts https://www.forbes.com/sites/zakdoffman/2024/12/03/fbi-warns-iphone-and-android-users-stop-sending-texts/ IdentityIQ Improper Access Control Vulnerability – CVE-2024-10905 https://www.sailpoint.com/security-advisories/identityiq-improper-access-control-vulnerability-cve-2024-10905 Solana web3.js Backdoor https://socket.dev/blog/supply-chain-attack-solana-web3-js-library keywords: data analysis; fbi; sms; rcs; identityiq; solana; web3.js; encryption; backdoor