Avsnitt
-
In today's episode, learn how an attacker attempted to exploit webmail XSS vulnerablities against us. Sonicwall released a critical patch fixing an already exploited vulnerability in its SMA 1000 appliance. Cisco fixed vulnerabilities in ClamAV and its Meeting Manager REST API. Learn from SANS.edu student Anthony Russo how to take advantage of AI for SOAR.
XSS Attempts via E-Mail
https://isc.sans.edu/diary/XSS%20Attempts%20via%20E-Mail/31620
An analysis of a recent surge in email-based XSS attack attempts targeting users and organizations. Learn the implications and mitigation techniques.
SonicWall PSIRT Advisory: CVE-2025-23006
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002 CVE-2025-23006
Details of a critical vulnerability in SonicWall appliances (SNWLID-2025-0002) and what you need to do to secure your systems.
Cisco ClamAV Advisory: OLE2 Parsing Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-ole2-H549rphA
A DoS vulnerability in the popular open source anti virus engine ClamAV
Cisco CMM Privilege Escalation Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc
A patch of a privilege escalation flaw in Cisco s CMM module. -
In today's episode, we start by talking about the PFSYNC protocol used to synchronize firewall states to support failover. Oracle released it's quarterly critical patch update. ESET is reporting about a critical VPN supply chain attack and CISA released guidance for victims of recent Ivanti related attacks.
Catching CARP: Fishing for Firewall States in PFSync Traffic
https://isc.sans.edu/diary/Catching%20CARP%3A%20Fishing%20for%20Firewall%20Stat%20es%20in%20PFSync%20Traffic/31616)**
Discover how attackers exploit PFSync traffic to manipulate firewall states. This deep dive explores vulnerabilities and mitigation strategies in network defense.
Oracle Critical Patch Update January 2025
https://www.oracle.com/security-alerts/cpujan2025.html)**
Oracle's January 2025 patch release addresses numerous critical vulnerabilities across their product suite. Learn about key updates and how to secure your systems.
PlushDaemon: Compromising the Supply Chain of a Korean VPN Service
https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/
ESET Research uncovers PlushDaemon, a sophisticated supply chain attack targeting a Korean VPN provider. Understand the implications for supply chain security.
CISA Cybersecurity Advisory: AA25-022A
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a
The latest advisory highlights active threats and mitigation strategies for critical infrastructure. Stay ahead with CISA s guidance on emerging cyber risks. -
Saknas det avsnitt?
-
This episodes covers how Starlink users can be geolocated and how Cloudflare may help deanonymize users. The increased use of AI helpers leads to leaking data via careless prompts.
Geolocation and Starlink
https://isc.sans.edu/diary/Geolocation%20and%20Starlink/31612
Discover the potential geolocation risks associated with Starlink and how they might be exploited. This diary entry dives into new concerns for satellite internet users.
Deanonymizing Users via Cloudflare
https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117
Deanonymizing users by identifying which cloudflare server cashed particular content
Sage's AI Assistant and Customer Data Concerns
https://www.theregister.com/2025/01/20/sage_copilot_data_issue/
Examine how a Sage AI tool inadvertently exposed sensitive customer data, raising questions about AI governance and trust in business applications.
The Threat of Sensitive Data in Generative AI Prompts
https://www.darkreading.com/threat-intelligence/employees-sensitive-data-genai-prompts
Analyze how employees careless prompts to generative AI tools can lead to sensitive data breaches and the importance of awareness training.
Homebrew Phishing
https://x.com/ryanchenkie/status/1880730173634699393 -
In this episode, we talk about downloading and analyzing partial ZIP files, how legitimate remote access tools are used in recent compromises and how a research found an SSRF vulnerability in Azure DevOps
Partial ZIP File Downloads
A closer look at how attackers are leveraging partial ZIP file downloads to bypass file verification systems and plant malicious content.
https://isc.sans.edu/diary/Partial%20ZIP%20File%20Downloads/31608
Ukrainian CERT Advisory on AnyDesk Threat
The Ukrainian CERT provides detailed guidance on identifying and mitigating recent cyber threats exploiting AnyDesk for unauthorized access.
https://cert.gov.ua/article/6282069
Finding SSRFs in Azure DevOps
An in-depth analysis of how server-side request forgery (SSRF) vulnerabilities are discovered and exploited in Azure DevOps pipelines.
https://binarysecurity.no/posts/2025/01/finding-ssrfs-in-devops -
In this episode, we cover how to use honeypot data to keep your offensive infrastructure alive longer, three critical vulnerabilities in SimpleHelp that must be patched now, and an interesting vulnerability affecting many systems allowing UEFI Secure Boot bypass.
Leveraging Honeypot Data for Offensive Security Operations [Guest Diary] A recent guest diary on the SANS Internet Storm Center discusses how offensive security professionals can utilize honeypot data to enhance their operations. The diary highlights the detection of scans from multiple IP addresses, emphasizing the importance of monitoring non-standard user-agent strings in web requests.
https://isc.sans.edu/diary/Leveraging%20Honeypot%20Data%20for%20Offensive%20Security%20Operations%20%5BGuest%20Diary%5D/31596
Security Vulnerabilities in SimpleHelp 5.5.7 and Earlier SimpleHelp has released version 5.5.8 to address critical security vulnerabilities present in versions 5.5.7 and earlier. Users are strongly advised to upgrade to the latest version to prevent potential exploits. Detailed information and upgrade instructions are available on SimpleHelp's official website.
https://simple-help.com/kb---security-vulnerabilities-01-2025#send-us-your-questions
Under the Cloak of UEFI Secure Boot: Introducing CVE-2024-7344 ESET researchers have identified a new vulnerability, CVE-2024-7344, that allows attackers to bypass UEFI Secure Boot on most UEFI-based systems. This flaw enables the execution of untrusted code during system boot, potentially leading to the deployment of malicious UEFI bootkits. Affected users should apply available patches to mitigate this risk.
https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/ -
In this episode, we explore the efficient storage of honeypot logs in databases, issues with Citrix's Session Recording Agent and Windows Update. Ivanti is having another interesting security event and our SANS.edu graduate student Rich Green talks about his research on Passkeys.
Extracting Practical Observations from Impractical Datasets: A SANS Internet Storm Center diary entry discusses strategies for analyzing complex datasets to derive actionable insights.
https://isc.sans.edu/diary/Extracting%20Practical%20Observations%20from%20Impractical%20Datasets/31582
Citrix Session Recording Agent Update Issue: Citrix reports that Microsoft's January security update fails or reverts on machines with the 2411 Session Recording Agent installed, providing guidance on addressing this issue.
https://support.citrix.com/s/article/CTX692505-microsofts-january-security-update-failsreverts-on-a-machine-with-2411-session-recording-agent?language=en_US
Ivanti Endpoint Manager Security Advisory: Ivanti releases a security advisory for Endpoint Manager versions 2024 and 2022 SU6, detailing vulnerabilities and recommended actions.
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
Revolutionizing Enterprise Security: The Exciting Future of Passkeys Beyond Passwords: A SANS.edu research paper explores the shift from traditional passwords to passkeys, highlighting the benefits and challenges of adopting passwordless authentication methods.
https://www.sans.edu/cyber-research/revolutionizing-enterprise-security-exciting-future-passkeys-beyond-passwords/ -
Today's episode covers an odd 12 year old Netgear vulnerability that only received a proper CVE number last year. Learn about how to properly identify OpenID connect users and avoid domain name resue. Good old rsync turns out to be in need of patching and Fortinet: Not sure if it needs patching. Probably it does. Go ahead and patch it.
The Curious Case of a 12-Year-Old Netgear Router Vulnerability
Outdated Netgear routers remain a security risk, with attackers actively exploiting a 2013 vulnerability to deploy crypto miners. Learn how to protect your network by updating or replacing legacy hardware.
URL: https://isc.sans.edu/diary/The%20Curious%20Case%20of%20a%2012-Year-Old%20Netgear%20Router%20Vulnerability/31592
Millions at Risk Due to Google s OAuth Flaw
A flaw in Google s OAuth implementation enables attackers to exploit defunct domain accounts, exposing sensitive data. Tips on implementing MFA and domain monitoring to reduce risks.
URL: https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
Rsync 3.4.0 Security Release
The latest rsync update fixes critical vulnerabilities, including buffer overflows and symbolic link issues. Upgrade immediately to protect your file synchronization processes.
URL: https://download.samba.org/pub/rsync/NEWS#3.4.0
Fortinet PSIRT Advisories: Stay Secure
Fortinet's latest advisories address vulnerabilities in FortiOS, FortiProxy, and more. Review and apply patches promptly to secure your perimeter defenses.
URL: https://www.fortiguard.com/psirt -
Today, Microsoft Patch Tuesday headlines our news with Microsoft patching 209 vulnerabilities, some
of which have already been exploited. Fortinet suspects a so far unpatched Node.js authentication
bypass to be behind some recent exploits of FortiOS and FortiProxy devices.
Microsoft January 2025 Patch Tuesday
This month's Microsoft patch update addresses a total of 209 vulnerabilities, including 12 classified as critical. Among these, 3 vulnerabilities have been actively exploited in the wild, and 5 have been disclosed prior to the patch release, marking them as zero-days.
https://isc.sans.edu/diary/rss/31590
Fortinet Security Advisory FG-IR-24-535 CVE-2024-55591
An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
https://fortiguard.fortinet.com/psirt/FG-IR-24-535
PRTG Network Monitor Update:
Update for an already exploited XSS vulnerability in Paesler PRTG Network Monitor CVE-2024-12833
https://www.paessler.com/prtg/history/stable -
Episode Summary:
This episode covers brute-force attacks on the password reset functionality of Hikvision devices, a macOS SIP bypass vulnerability, Linux rootkit malware, and a novel ransomware campaign targeting AWS S3 buckets.
Topics Covered:
Hikvision Password Reset Brute Forcing
URL: https://isc.sans.edu/diary/Hikvision%20Password%20Reset%20Brute%20Forcing/31586
Hikvision devices are being targeted using old brute-force attacks exploiting predictable password reset codes.
Analyzing CVE-2024-44243: A macOS System Integrity Protection Bypass
URL: https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024-44243-a-macos-system-integrity-protection-bypass-through-kernel-extensions/
Microsoft details a macOS vulnerability allowing attackers to bypass SIP using kernel extensions.
Rootkit Malware Controls Linux Systems Remotely
URL: https://cybersecuritynews.com/rootkit-malware-controls-linux-systems-remotely/
A sophisticated rootkit targeting Linux systems uses zero-day vulnerabilities for remote control.
Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C
URL: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
Attackers are using AWS s SSE-C encryption to lock S3 buckets during ransomware campaigns. We cover how the attack works and how to protect your AWS environment. -
In today's episode, we cover the latest updates in cybersecurity:
Windows Defender Enhances Chrome Extension Detection
Microsoft's Defender now catalogs Chrome extensions to identify malicious ones. Learn how this improves enterprise security.
https://isc.sans.edu/diary/Windows%20Defender%20Chrome%20Extension%20Detection/31574
Multi-OLE Analysis in Malicious Documents
A look at how attackers embed OLE files in Office documents to evade detection and the tools to combat it.
https://isc.sans.edu/diary/Multi-OLE/31580
Ivanti Connect Secure RCE Vulnerability (CVE-2025-0282)
Details of a critical vulnerability affecting Ivanti products and the patching timelines.
https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/
Apple USB-C Controller Compromised
Researchers hacked Apple s ACE3 USB-C controller, highlighting hardware security challenges.
https://cybersecuritynews.com/apples-new-usb-c-controller-hacked/
IRS Pushes for IP PIN Enrollment
Protect yourself from tax-related identity theft by securing your IP PIN for the 2025 tax season.
https://www.irs.gov/newsroom/irs-encourages-all-taxpayers-to-sign-up-for-an-ip-pin-for-the-2025-tax-season -
In this episode, we explore the following stories:
"Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics"
Overview of Redtail's multi-architecture cryptomining malware exploiting vulnerabilities and deploying persistence techniques.
URL: Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics
"Information Stealer Masquerades as LDAPNightmare PoC Exploit"
A malware disguised as a PoC exploit targets users seeking to test vulnerabilities like LDAPNightmare.
URL: Information Stealer Masquerades as LDAPNightmare PoC Exploit
"How Extensions Trick CWS Search"
Research reveals how malicious browser extensions manipulate Chrome Web Store search to appear legitimate.
URL: How Extensions Trick CWS Search
"Palo Alto Networks' Expedition Vulnerabilities (PAN-SA-2025-0001)"
Multiple vulnerabilities in the deprecated Expedition tool can expose credentials and lead to unauthorized file and command execution.
URL: Palo Alto Networks' Expedition Vulnerabilities (PAN-SA-2025-0001) -
In this episode, we discuss critical vulnerabilities in Ivanti Connect Secure and Policy Secure, command injection risks in Aviatrix Network Controllers, and the risks posed by hijacked abandoned backdoors.
Episode Links and Topics:
More Governments Backdoors in Your Backdoors
https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
Researchers reveal how expired domains linked to abandoned backdoors can be hijacked, exposing systems to further compromise.
Security Update: Ivanti Connect Secure, Policy Secure, and Neurons for ZTA Gateways
https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways
Ivanti addresses critical vulnerabilities (CVE-2025-0282, CVE-2025-0283) in their secure gateway products, with active exploitation in the wild.
CVE-2024-50603: Aviatrix Network Controller Command Injection Vulnerability
https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
A command injection vulnerability in Aviatrix Network Controllers allows unauthenticated code execution, posing severe risks to network environments. -
In this episode, we dive into active exploitation of a zero-day in SonicWall SSL-VPN, privilege escalation vulnerabilities in Moxa devices, and a BitLocker bypass in Windows 11. We also cover cryptocurrency mining malware hitting PHP servers and the White House's launch of the U.S. Cyber Trust Mark to secure connected devices.
Episode Links and Topics:
PacketCrypt Classic Cryptocurrency Miner on PHP Servers
https://isc.sans.edu/diary/PacketCrypt%20Classic%20Cryptocurrency%20Miner%20on%20PHP%20Servers/31564
Malware exploiting PHP servers to mine PacketCrypt Classic cryptocurrency.
SonicOS Affected By Multiple Vulnerabilities
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
A zero-day vulnerability in SonicWall SSL-VPN devices is under active attack.
Privilege Escalation and OS Command Injection Vulnerabilities in Moxa Devices
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo
Critical vulnerabilities in Moxa routers and security appliances allow privilege escalation and OS command injection.
White House Launches U.S. Cyber Trust Mark
https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/
A new cybersecurity labeling program for connected devices aims to help consumers choose secure products.
Windows BitLocker: Screwed without a Screwdriver
https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver#t=761
(video in English)
A two-year-old vulnerability in Windows 11 allows bypassing BitLocker encryption. -
In this episode of the SANS Internet Storm Center's Stormcast, we cover critical vulnerabilities affecting OpenSSH, BeyondTrust, and Nuclei, including the newly discovered "RegreSSHion" flaw and a bypass vulnerability in Nuclei. We also discuss how malware evasion techniques can impact analysis environments and highlight the dangers of fake exploits targeting researchers. Tune in for insights on patching, mitigation strategies, and staying ahead of emerging threats.
Topics Covered:
Make Malware Happy
https://isc.sans.edu/diary/Make%20Malware%20Happy/31560
A look at how malware adapts and detects analysis environments, and why replicating operational settings is critical during malware analysis.
Nuclei Signature Verification Bypass (CVE-2024-43405)
https://www.wiz.io/blog/nuclei-signature-verification-bypass
A critical vulnerability in Nuclei allows malicious templates to bypass signature verification, risking arbitrary code execution.
Critical Vulnerability in BeyondTrust (CVE-2024-12356)
https://censys.com/cve-2024-12356/
A high-risk flaw in BeyondTrust products allows unauthenticated OS command execution, posing a significant threat to privileged access systems.
RegreSSHion Code Execution Vulnerability (CVE-2024-6387)
https://cybersecuritynews.com/regresshion-code-execution-vulnerability/
OpenSSH vulnerability "RegreSSHion" enables remote code execution, and fake exploits targeting security researchers are in circulation. -
In this episode of the SANS Internet Storm Center's Stormcast, we cover the latest cybersecurity threats and defenses, including Python-delivered malware, goodware hash sets, SSL/TLS protocol updates, and critical vulnerabilities in ASUS routers and Paessler PRTG. Stay informed and secure your systems!
Full details and links to all stories:
SwaetRAT via Python: https://isc.sans.edu/diary/SwaetRAT%20Delivery%20Through%20Python/31554
Goodware Hash Sets: https://isc.sans.edu/diary/Goodware%20Hash%20Sets/31556
SSL/TLS Updates: https://isc.sans.edu/diary/Changes%20in%20SSL%20and%20TLS%20support%20in%202024/31550
Cyberhaven Extension Compromise: https://secureannex.com/blog/cyberhaven-extension-compromise/
PRTG Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-24-1736/
ASUS Router Vulnerabilities: https://cybersecuritynews.com/asus-router-vulnerabilities/ -
PHPUnit and Androxgh0st
https://isc.sans.edu/diary/Command%20Injection%20Exploit%20For%20PHPUnit%20before%204.8.28%20and%205.x%20before%205.6.3%20%5BGuest%20Diary%5D/31528
Mirai Attacks Session Smart Routers
https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Session-Smart-Router-Mirai-malware-found-on-systems-when-the-default-password-remains-unchanged?language=en_US
FortiWLM Unauthenticated limited file read vulnerability
https://fortiguard.fortinet.com/psirt/FG-IR-23-144
https://securityonline.info/kaspersky-uncovers-active-exploitation-of-fortinet-vulnerability-cve-2023-48788/
Beyond Trust Security Advisory
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10
BadBox Update
https://www.bitsight.com/blog/badbox-botnet-back -
A Deep Dive into TeamTNT and Spinning YARN
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20A%20Deep%20Dive%20into%20TeamTNT%20and%20Spinning%20YARN/31530
Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html
Okta Social Engineering Impersonation Report
https://sec.okta.com/articles/2024/okta-social-engineering-report-response-and-recommendation
US considers banning TP-Link routers over cybersecurity risks
https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks/
CISA Releases Best Practice Guidance for Mobile Communications
https://www.cisa.gov/news-events/alerts/2024/12/18/cisa-releases-best-practice-guidance-mobile-communications -
Python Delivering AnyDesk Client as RAT
https://isc.sans.edu/diary/Python+Delivering+AnyDesk+Client+as+RAT/31524/
Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html
SS7 Attacks
https://www.404media.co/email/ac709882-1e4b-42fc-bcca-cf7ce4793716/
CrushFTP Vulnerability
https://crushftp.com/crush11wiki/Wiki.jsp?page=Update -
MUT-1244 Targeting Offensive Actors
https://securitylabs.datadoghq.com/articles/mut-1244-targeting-offensive-actors/
Golang Crypto Vulnerability
https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909
Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows
https://www.cadosecurity.com/blog/meeten-malware-threat -
Exploit Attempts Inspired by Recent Struts 2 File Upload Vulnerability
https://isc.sans.edu/diary/Exploit%20attempts%20inspired%20by%20recent%20Struts2%20File%20Upload%20Vulnerability%20%28CVE-2024-53677%2C%20CVE-2023-50164%29/31520
Citrix Netscaler Password Spraying Mitigation
https://www.citrix.com/blogs/2024/12/13/password-spraying-attacks-netscaler-december-2024/
Let's Encrypt Six Day Certifiates
https://letsencrypt.org/2024/12/11/eoy-letter-2024/
Devices in Germany Arrived Pre-Pw0n3d
https://cybersecuritynews.com/30000-devices-in-germany-discovered-with-pre-installed-malware-badbox/ - Visa fler
