Sans Internet Storm Center Daily Network/cyber Security And Information Security Podcast

Don't Forget The "-n" Command Line Switch Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks. https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220 watchTowr releases details about recent Commvault flaws Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123 Docker Desktop Vulnerability CVE-2025-9074 A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host. https://docs.docker.com/desktop/release-notes/#4443

Airtel Router Scans and Mislabeled Usernames A quick summary of some odd usernames that show up in our honeypot logs https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216 Apple Patches 0-Day CVE-2025-43300 Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO. https://support.apple.com/en-us/124925 Microsoft Copilot Audit Logs A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file https://pistachioapp.com/blog/copilot-broke-your-audit-log Password Managers Susceptible to Clickjacking Many password managers are susceptible to clickjacking, and only few have fixed the problem so far https://marektoth.com/blog/dom-based-extension-clickjacking/

Increased Elasticsearch Recognizance Scans Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard. https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212 Microsoft Patch Tuesday Issues Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999 Details explaining how to take advantage of two SAP vulnerabilities were made public https://onapsis.com/blog/new-exploit-for-cve-2025-31324/

Keeping an Eye on MFA Bombing Attacks Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem. https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208 Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 F5 Access for Android vulnerability An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack. https://my.f5.com/manage/s/article/K000152049

SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks. https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202 Plex Vulnerability Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1. https://forums.plex.tv/t/plex-media-server-security-update/928341 FortiWeb Exploit Public A security researcher published details about the recent FortiWeb vulnerability, including demonstrating a PoC exploit. https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/ Flowise OS vulnerability https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/

AI and Faster Attack Analysis A few use cases for LLMs to speed up analysis https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198 Proxyware Malware Being Distributed on YouTube Video Download Site Popular YouTube download sites will attempt to infect users with proxyware. https://asec.ahnlab.com/en/89574/ Xerox Freeflow Core Vulnerability Horizon3.ai discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform. These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances. https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/ SANS.edu Research: Darren Carstensen Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing Not all Zero Trust Network Access (ZTNA) solutions are created equal, and despite bold marketing claims, many fall shor

CVE-2017-11882 Will Never Die The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email. https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196 Windows Kerberos Elevation of Privilege Vulnerability Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in Windows Kerberos affecting Exchange Server in hybrid mode. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779 Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images Some old Debian Docker images containing the xz-utils backdoor are still available for download from Docker Hub via the official Debian account. https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images FortiSIEM / F

Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/ libarchive Vulnerability A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc Adobe Patches Adobe released patches for 13 different products. https://helpx.adobe.com/security/Home.html

Erlang OTP SSH Exploits A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed. https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ WinRAR Exploited WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted. https://thehackernews.com/2025/08/winrar-zero-day-under-active.html Citrix Netscaler Exploit Updates The Dutch Center for Cyber Security is updating its guidance on recent Citrix Netscaler attacks. Note that the attacks started before a patch became available, and attackers are actively hiding their tracks to make it more difficult to detect a compromise. https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/ OpenSSH Post Qu

Google Paid Ads for Fake Tesla Websites Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products. https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186 Compromising USB Devices for Persistent Stealthy Access USB devices, like Linux-based web cams, can be compromised to emulate malicious USB devices like keyboards that inject malicious commands. https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/ Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS Internet-exposed DCs can be used in very powerful DoS attacks. https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60389

Mass Internet Scanning from ASN 43350 Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350 https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments HTTP/1.1 Desync Attacks Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1 https://portswigger.net/research/http1-must-die Microsoft Warns of Exchange Server Vulnerability An attacker with admin access to an Exchange Server in a hybrid configuration can use this vulnerability to gain full domain access. The issue is mitigated by an April hotfix, but was not noted in the release of the April Hotfix. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786 Sonicwall Update Sonicwall no longer believes that a new vulnerability was used in recent compromises https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recen

Do Sextortion Scams Still Work in 2025? Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work. https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178 Akira Ransomware Group s use of Drivers Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/ Adobe Patches Critical Experience Manager Vulnerability Adobe released emergency patches for a vulnerability in Adobe Experience Manager after a PoC exploit was made public. https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/ https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html Trend Micro Apex One Vulnerability Trend Micro released an emergency patch for an actively exploited pre-authentication remote code

Stealing Machinekeys for fun and profit (or riding the SharePoint wave) Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost. https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wave%29/32174 Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives Perplexity will change its User Agent, or use different originating IP addresses, if it detects being blocked from scanning websites https://blog.cloudflare.com/perplexity-is-using-stealth-undeclared-crawlers-to-evade-website-no-crawl-directives/ Gen 7 SonicWall Firewalls SSLVPN Recent Threat Activity Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled. https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-ac

Daily Trends Report A new trends report will bring you daily data highlights via e-mail. https://isc.sans.edu/diary/New%20Feature%3A%20Daily%20Trends%20Report/32170 NVidia Triton RCE Wiz found an interesting information leakage vulnerability in NVidia s Triton servers that can be leveraged to remote code execution. https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server Cursor AI MCP Vulnerability An attacker could abuse negligent Cursor MCP configurations to implement backdoors into developer machines. https://www.aim.security/lp/aim-labs-curxecute-blogpost

Scans for pop3user with guessable password A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled. https://isc.sans.edu/diary/Legacy%20May%20Kill/32166 Possible Sonicwall SSL VPN 0-Day Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated. https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/ PAM Based Linux Backdoor For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks. https://www.nextron-systems.

Scattered Spider Related Domain Names A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162 Excel External Workbook Links to Blocked File Types Will Be Disabled by Default Excel will discontinue allowing links to dangerous file types starting as early as October. https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58 CISA Releases Thorium CISA announced that it released its malware analysis platform, Thorium, as open-source software. https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome. https://nvd.nist.gov/vuln/detail/CVE-2025-6558 Scattered Spider Update CISA released an update for its report on Scattered Spider, noting that the group also calls helpdesks impersonating users, not just the other way around. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

Apple Updates Everything: July 2025 Edition Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems. https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154 Python Triage A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise. https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/ PaperCut Attacks CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list. https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog

Parasitic SharePoint Exploits We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers. https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148 Cisco ISE Vulnerability Exploited A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user. https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability MyAsus Vulnerablity The MyAsus tool does not store its access tokens correctly, potentially providing an attacker with access to sensitive functions https://www.asus.com/content/security-advisory/

Linux Namespaces Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed. https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144 Coyote in the Wild: First-Ever Malware That Abuses UI Automation Akamai identified malware that takes advantage of Microsoft s UI Automation Framework to programatically interact with the user s system and steal credentials. https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild Testing REST APIs with Autoswagger The tool Autoswagger can be used to automate the testing of REST APIs following the OpenAPI/Swagger standard. https://github.com/intruder-io/autoswagger/