Episodes

  • SANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited;

    SANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited;
    Aug 27 2025

    Getting a Better Handle on International Domain Names and Punycode
    International Domain names can be used for phishing and other attacks. One way to identify suspect names is to look for mixed script use.
    https://isc.sans.edu/diary/Getting%20a%20Better%20Handle%20on%20International%20Domain%20Names%20and%20Punycode/32234
    Citrix Netscaler Vulnerabilities CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424
    Citrix patched three vulnerabilities in Netscaler. One is already being exploited
    https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
    git vulnerability exploited (CVE-2025-48384)
    A git vulnerability patched in early July is now being exploited
    https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9
    Show More Show Less
    6 mins
  • SANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln

    SANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln
    Aug 26 2025

    Reading Location Position Value in Microsoft Word Documents
    Jessy investigated how Word documents store the last visited document location in the registry.
    https://isc.sans.edu/diary/Reading%20Location%20Position%20Value%20in%20Microsoft%20Word%20Documents/32224
    Weaponizing image scaling against production AI systems
    AI systems often downscale images before processing them. An attacker can create a harmless looking image that would reveal text after downscaling leading to prompt injection
    https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/
    IBM Jazz Team Server Vulnerability CVE-2025-36157
    IBM patched a critical vulnerability in its Jazz Team Server
    https://www.ibm.com/support/pages/node/7242925
    Show More Show Less
    5 mins
  • SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions

    SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions
    Aug 25 2025

    The end of an era: Properly formatted IP addresses in all of our data.
    When initiall designing DShield, addresses were zero padded , an unfortunate choice. As of this week, datafeeds should no longer be zero padded .
    https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228
    .desktop files used in an attack against Linux Desktops
    Pakistani attackers are using .desktop files to target Indian Linux desktops.
    https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/
    Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
    A go module advertising its ability to quickly brute force passwords against random IP addresses, has been used to exfiltrate credentials from the person running the module.
    https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials
    Limiting Onmicrosoft Domain Usage for Sending Emails
    Microsoft is limiting how many emails can be sent by Microsoft 365 users using the onmicrosoft.com domain.
    https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167
    Show More Show Less
    6 mins
  • SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln;

    SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln;
    Aug 22 2025

    Don't Forget The "-n" Command Line Switch
    Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks.
    https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220
    watchTowr releases details about recent Commvault flaws
    Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities
    https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123
    Docker Desktop Vulnerability CVE-2025-9074
    A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host.
    https://docs.docker.com/desktop/release-notes/#4443
    Show More Show Less
    7 mins
  • SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking

    SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking
    Aug 21 2025

    Airtel Router Scans and Mislabeled Usernames
    A quick summary of some odd usernames that show up in our honeypot logs
    https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216
    Apple Patches 0-Day CVE-2025-43300
    Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO.
    https://support.apple.com/en-us/124925
    Microsoft Copilot Audit Logs
    A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file
    https://pistachioapp.com/blog/copilot-broke-your-audit-log
    Password Managers Susceptible to Clickjacking
    Many password managers are susceptible to clickjacking, and only few have fixed the problem so far
    https://marektoth.com/blog/dom-based-extension-clickjacking/
    Show More Show Less
    7 mins
  • SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues

    SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues
    Aug 20 2025

    Increased Elasticsearch Recognizance Scans
    Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard.
    https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212
    Microsoft Patch Tuesday Issues
    Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred.
    https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc
    https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot
    SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999
    Details explaining how to take advantage of two SAP vulnerabilities were made public
    https://onapsis.com/blog/new-exploit-for-cve-2025-31324/
    Show More Show Less
    6 mins
  • SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln;

    SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln;
    Aug 19 2025

    Keeping an Eye on MFA Bombing Attacks
    Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem.
    https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208
    Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability
    An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software.
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
    F5 Access for Android vulnerability
    An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack.
    https://my.f5.com/manage/s/article/K000152049
    Show More Show Less
    5 mins