SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Exploring Uploads in a Dshield Honeypot Environment This guest diary by one of our SANS.edu undergraduate interns shows how to analyze files uploaded to Cowrie https://isc.sans.edu/diary/Exploring%20Uploads%20in%20a%20Dshield%20Honeypot%20Environment%20%5BGuest%20Diary%5D/32296 Sonicwall Breach SonicWall MySonicWall accounts were breached via credential brute forcing https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330 DeepSeek Bias Cloudflare found significant biases in code created by the Chinese AI engine DeepSeek. Code for organizations not aligned with China s politics contained significantly more bugs https://www.washingtonpost.com/technology/2025/09/16/deepseek-ai-security/ Google Chrome 0-day Google fixed an already-exploited vulnerability in Google Chrome https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html

CTRL-Z DLL Hooking Attackers may use a simple reload trick to overwrite breakpoints left by analysts to reverse malicious binaries. https://isc.sans.edu/diary/CTRL-Z%20DLL%20Hooking/32294 Global Admin in every Entra ID tenant via Actor tokens As part of September s patch Tuesday, Microsoft patched CVE-2025-55241. The discoverer of the vulnerability, Dirk-jan Mollema has published a blog post showing how this vulnerability could have been exploited. https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/ WatchGuard Firebox iked Out of Bounds Write Vulnerability CVE-2025-9242 WatchGuard patched an out-of-bounds write vulnerability, which could allow an unauthenticated attacker to compromise the devices. https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 NVidia Triton Inference Server NVIDIA patched critical vulnerabilities in its Triton Inference Server. https://nvidia.custhelp.com/app/answers/detail/a_id/5691

Why You Need Phishing-Resistant Authentication NOW. The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a simple phishing email can be. https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290 S1ngularity/nx Attackers Strike Again A second wave of attacks has hit over a hundred npm-related GitHub repositories. The updated payload implements a worm that propagates itself to other repositories. https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again ChatGPT s Calendar Integration Can Be Exploited to Steal Emails ChatGPT s new MCP integration can be used, via prompt injection, to affect software connected to ChatGPT via MCP. https://www.linkedin.com/posts/eito-miyamura-157305121_we-got-chatgpt-to-leak-your-private-email-activity-7372306174253256704-xoX1/

Apple Updates Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities. https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286 Microsoft End of Life October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will end. https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=As%20a%20reminder%2C%20Windows%2010,one%20that%20supports%20Windows%2011. https://techcommunity.microsoft.com/blog/exchange/t-9-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4366605 Phishing Targeting Rust Developers Rust developers are reporting similar phishing emails as the emails causing the major NPM compromise last week. https://github.com/rust-lang/crates.io/discussions/11889#discussion-8886064 Samsung Patches 0-Day Samsung released its monthly updates for its flagship phones fixing, among other vulnerability, an already exploited 0-day. https://security.samsungmobile.com/securityUpdate.smsb

Web Searches For Archives Didier observed additional file types being searched for as attackers continue to focus on archive files as they spider web pages https://isc.sans.edu/diary/Web%20Searches%20For%20Archives/32282 FBI Flash Alert: Salesforce Attacks The FBI is alerting users of Salesforce of two different threat actors targeting Salesforce. There are no new vulnerabilities disclosed, but the initial access usually takes advantage of social engineering or leaked data from the Salesdrift compromise. https://www.ic3.gov/CSA/2025/250912.pdf VSCode Cursor Extensions Malware Koe Security unmasked details about a recent malicious cursor extension campaign they call White Cobra. https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware BSides Augusta https://bsidesaugusta.org/

DShield SIEM Docker Updates Guy updated the DShield SIEM which graphically summarizes what is happening inside your honeypot. https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/32276 Again: Sonicwall SSL VPN Compromises The Australian Government s Signals Directorate noted an increase in compromised Sonicwall devices. https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia Website Keystroke Logging Many websites log every keystroke, not just data submitted in forms. https://arxiv.org/pdf/2508.19825

BASE64 Over DNS The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these invalid characters. https://isc.sans.edu/diary/BASE64%20Over%20DNS/32274 Google Chrome Update Google released an update for Google Chrome, addressing two vulnerabilities. One of the vulnerabilities is rated critical and may allow code execution. https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_9.html Ivanti Updates Ivanti patched a number of vulnerabilities, several of them critical, across its product portfolio. https://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs Sophos Patches Sophos resolved authentication bypass vulnerability in Sophos AP6 series wireless access point firmware (CVE-2025-10159) https://www.sophos.com/en-us/security-advisories/sophos-sa-20250909-ap6 Apple Introduces Memory Integrity Enforcement With the new hardware promoted in yesterday s event, Apple also introduced new memory integrity features based on this new hardware. https://security.apple.com/blog/memory-integrity-enforcement/

Microsoft Patch Tuesday As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270 Adobe Patches Adobe released patches for nine products, including Adobe Commerce, Coldfusion, and Acrobat. https://helpx.adobe.com/security/security-bulletin.html SAP Patches SAP patched vulnerabilities across its product portfolio. Particularly interesting are a few critical vulnerabilities in Netweaver, one of which scored a perfect 10.0 CVSS score. https://onapsis.com/blog/sap-security-notes-september-2025-patch-day/

Major npm compromise A number of high-profile npm libraries were compromised after developers fell for a phishing email. This compromise affected libraries with a total of hundreds of millions of downloads a week. https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y https://github.com/orgs/community/discussions/172738 https://github.com/chalk/chalk/issues/656#issuecomment-3266894253 https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised HTTP Request Signatures It looks like some search engines and AI bots are starting to use the HTTP request signature. This should make it easier to identify bot traffic. https://isc.sans.edu/diary/HTTP%20Request%20Signatures/32266

From YARA Offsets to Virtual Addresses Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers. https://isc.sans.edu/diary/From%20YARA%20Offsets%20to%20Virtual%20Addresses/32262 Phishing via JavaScript in SVG Files Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript in SVG files. https://blog.virustotal.com/2025/09/uncovering-colombian-malware-campaign.html FreePBX Patches FreePBX released details regarding two vulnerabilities patched last week. One of these vulnerabilities was already actively exploited. https://github.com/FreePBX/security-reporting/security/advisories/GHSA-3r47-p39v-vqqf

Unauthorized Issuance of Certificate for 1.1.1.1 Cloudflare published a blog post with more details regarding the bad 1.1.1.1 certificate that was issued by Fina. https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/ AI Model Namespace Reuse Deleted accounts on Huggingface can be taken over by other entities unrelated to the original owner. https://unit42.paloaltonetworks.com/model-namespace-reuse/ macOS vulnerability allowed Keychain and iOS app decryption without a password Excessive entitlements for the gcore binary facilitated access to key material that was sufficient to access secrets stored in Apple s keychain. https://www.helpnetsecurity.com/2025/09/04/macos-gcore-vulnerability-cve-2025-24204/

Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086 Our honeypots detected attacks against the manufacturing management system DELMIA Apriso. The deserialization vulnerability was patched in June and is one of a few critical vulnerabilities patched in recent months. https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Dassault%20DELMIA%20Apriso.%20CVE-2025-5086/32256 Android Bulletin Google released its September update, fixing two already-exploited privilege escalation flaws and some remote code execution issues. https://source.android.com/docs/security/bulletin/2025-09-01 Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020 Certificate authority Fina RDC issues a certificate for Cloudflare s IP address 1.1.1.1 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc

A Quick Look at Sextortion at Scale Jan analyzed 1900 different sextortion messages using 205 different Bitcoin addresses to look at the success rate, lifetime, and other metrics defining these campaigns. https://isc.sans.edu/diary/A%20quick%20look%20at%20sextortion%20at%20scale%3A%201%2C900%20messages%20and%20205%20Bitcoin%20addresses%20spanning%20four%20years/32252 Azure AD Client Secret Leak Attackers are stealing Azure AD client secrets from websites that are leaving them exposed. https://www.resecurity.com/blog/article/azure-ad-client-secret-leak-the-keys-to-cloud Covert Channel via ICMP and DNS A new bot combines ICMP and DNS in new ways for covert communication. The DNS requests use domains with a fixed prefix followed by a base64 encoded command, and the ICMP echo request packets include commands as a payload. https://blog.xlab.qianxin.com/mystrodx_covert_dual-mode_backdoor_en/ Official Release of Critical FreePBX Patch Sangoma has announced that the experimental patch released for the exploited FreePBX vulnerability is now considered stable, and users should update to apply it. https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

pdf-parser: All Streams Didier released a new version of pdf-parser.py. This version fixes a problem with dumping all filtered streams. https://isc.sans.edu/diary/pdf-parser%3A%20All%20Streams/32248 Salesloft Drift Putting OAuth Tokens at Risk OAuth tokens used by Salesloft Drift users to provide access to integrations with Salesforce, Google Workspace, and others have been compromised and heavily abused for additional compromise and large-scale data exfiltration from exposed services. https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift Velociraptor incident response tool abused for remote access Attackers are using the open source incident response tool Velociraptor to access remote systems in breached networks. Tools like Velocitraptor are ideal for attackers to perform lateral movement. https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/ Default Password in NeuVector (Rancher Desktop) SuSE fixed a default password vulnerability in NeuVector, a security tool included in Rancher Desktop. https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56

Increasing Searches for ZIP Files Attackers are scanning our honeypots more and more for .zip files. They are looking for backups of credential files and the like left behind by careless administrators and developers. https://isc.sans.edu/diary/Increasing%20Searches%20for%20ZIP%20Files/32242 FreePBX Vulnerability An upatched vulnerability in FreePBX is currently being exploited. FreePBX offers mitigation advice and has also just released a beta patch. https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203 Passwordstate Vulnerability Clickstudios patched an authentication bypass vulnerability in its password manager, Passwordstate. The vulnerability can be used to access the emergency password page. https://www.clickstudios.com.au/passwordstate-changelog.aspx

Interesting Technique to Launch a Shellcode Xavier came across malware that PowerShell and the CallWindowProcA() API to launch code. https://isc.sans.edu/diary/Interesting%20Technique%20to%20Launch%20a%20Shellcode/32238 NX Compromised to Steal Wallets and Credentials The popular open source NX build package was compromised. Code was added that uses the help of AI tools like Claude and Gemini to steal credentials from affected systems https://semgrep.dev/blog/2025/security-alert-nx-compromised-to-steal-wallets-and-credentials/ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed the Global Espionage System Several law enforcement and cybersecurity agencies worldwide collaborated to release a detailed report on the recent Volt Typhoon incident. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

Getting a Better Handle on International Domain Names and Punycode International Domain names can be used for phishing and other attacks. One way to identify suspect names is to look for mixed script use. https://isc.sans.edu/diary/Getting%20a%20Better%20Handle%20on%20International%20Domain%20Names%20and%20Punycode/32234 Citrix Netscaler Vulnerabilities CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 Citrix patched three vulnerabilities in Netscaler. One is already being exploited https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424 git vulnerability exploited (CVE-2025-48384) A git vulnerability patched in early July is now being exploited https://github.com/git/git/security/advisories/GHSA-vwqx-4fm8-6qc9

Reading Location Position Value in Microsoft Word Documents Jessy investigated how Word documents store the last visited document location in the registry. https://isc.sans.edu/diary/Reading%20Location%20Position%20Value%20in%20Microsoft%20Word%20Documents/32224 Weaponizing image scaling against production AI systems AI systems often downscale images before processing them. An attacker can create a harmless looking image that would reveal text after downscaling leading to prompt injection https://blog.trailofbits.com/2025/08/21/weaponizing-image-scaling-against-production-ai-systems/ IBM Jazz Team Server Vulnerability CVE-2025-36157 IBM patched a critical vulnerability in its Jazz Team Server https://www.ibm.com/support/pages/node/7242925

The end of an era: Properly formatted IP addresses in all of our data. When initiall designing DShield, addresses were zero padded , an unfortunate choice. As of this week, datafeeds should no longer be zero padded . https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228 .desktop files used in an attack against Linux Desktops Pakistani attackers are using .desktop files to target Indian Linux desktops. https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/ Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram A go module advertising its ability to quickly brute force passwords against random IP addresses, has been used to exfiltrate credentials from the person running the module. https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials Limiting Onmicrosoft Domain Usage for Sending Emails Microsoft is limiting how many emails can be sent by Microsoft 365 users using the onmicrosoft.com domain. https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167

Don't Forget The "-n" Command Line Switch Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks. https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220 watchTowr releases details about recent Commvault flaws Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123 Docker Desktop Vulnerability CVE-2025-9074 A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host. https://docs.docker.com/desktop/release-notes/#4443

Airtel Router Scans and Mislabeled Usernames A quick summary of some odd usernames that show up in our honeypot logs https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216 Apple Patches 0-Day CVE-2025-43300 Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO. https://support.apple.com/en-us/124925 Microsoft Copilot Audit Logs A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file https://pistachioapp.com/blog/copilot-broke-your-audit-log Password Managers Susceptible to Clickjacking Many password managers are susceptible to clickjacking, and only few have fixed the problem so far https://marektoth.com/blog/dom-based-extension-clickjacking/

Increased Elasticsearch Recognizance Scans Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard. https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212 Microsoft Patch Tuesday Issues Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999 Details explaining how to take advantage of two SAP vulnerabilities were made public https://onapsis.com/blog/new-exploit-for-cve-2025-31324/

Keeping an Eye on MFA Bombing Attacks Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem. https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208 Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79 F5 Access for Android vulnerability An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack. https://my.f5.com/manage/s/article/K000152049

SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks. https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202 Plex Vulnerability Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1. https://forums.plex.tv/t/plex-media-server-security-update/928341 FortiWeb Exploit Public A security researcher published details about the recent FortiWeb vulnerability, including demonstrating a PoC exploit. https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/ Flowise OS vulnerability https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/

AI and Faster Attack Analysis A few use cases for LLMs to speed up analysis https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198 Proxyware Malware Being Distributed on YouTube Video Download Site Popular YouTube download sites will attempt to infect users with proxyware. https://asec.ahnlab.com/en/89574/ Xerox Freeflow Core Vulnerability Horizon3.ai discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform. These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances. https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/ SANS.edu Research: Darren Carstensen Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing Not all Zero Trust Network Access (ZTNA) solutions are created equal, and despite bold marketing claims, many fall short of delivering proper Zero Trust security. https://www.sans.edu/cyber-research/evaluating-zero-trust-network-access-framework-comparative-security-testing/

CVE-2017-11882 Will Never Die The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email. https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196 Windows Kerberos Elevation of Privilege Vulnerability Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in Windows Kerberos affecting Exchange Server in hybrid mode. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779 Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images Some old Debian Docker images containing the xz-utils backdoor are still available for download from Docker Hub via the official Debian account. https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images FortiSIEM / FortiWeb Vulnerablities Fortinet patched already exploited vulnerabilities in FortiWeb and FortiSIEM https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://fortiguard.fortinet.com/psirt/FG-IR-25-448

Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/ libarchive Vulnerability A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc Adobe Patches Adobe released patches for 13 different products. https://helpx.adobe.com/security/Home.html

Erlang OTP SSH Exploits A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed. https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ WinRAR Exploited WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted. https://thehackernews.com/2025/08/winrar-zero-day-under-active.html Citrix Netscaler Exploit Updates The Dutch Center for Cyber Security is updating its guidance on recent Citrix Netscaler attacks. Note that the attacks started before a patch became available, and attackers are actively hiding their tracks to make it more difficult to detect a compromise. https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/ OpenSSH Post Quantum Encryption Starting in version 10.1, OpenSSH will warn users if they are using quantum-unsafe algorithms https://www.openssh.com/pq.html

Google Paid Ads for Fake Tesla Websites Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products. https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186 Compromising USB Devices for Persistent Stealthy Access USB devices, like Linux-based web cams, can be compromised to emulate malicious USB devices like keyboards that inject malicious commands. https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/ Win-DoS Epidemic: A crash course in abusing RPC for Win-DoS & Win-DDoS Internet-exposed DCs can be used in very powerful DoS attacks. https://defcon.org/html/defcon-33/dc-33-speakers.html#content_60389

Mass Internet Scanning from ASN 43350 Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350 https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments HTTP/1.1 Desync Attacks Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1 https://portswigger.net/research/http1-must-die Microsoft Warns of Exchange Server Vulnerability An attacker with admin access to an Exchange Server in a hybrid configuration can use this vulnerability to gain full domain access. The issue is mitigated by an April hotfix, but was not noted in the release of the April Hotfix. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786 Sonicwall Update Sonicwall no longer believes that a new vulnerability was used in recent compromises https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 SANS.edu Research: Wellington Rampazo, Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components https://www.sans.edu/cyber-research/shift-left-awareness-detection-developers-using-vulnerable-open-source-software-components/

Do Sextortion Scams Still Work in 2025? Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work. https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178 Akira Ransomware Group s use of Drivers Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/ Adobe Patches Critical Experience Manager Vulnerability Adobe released emergency patches for a vulnerability in Adobe Experience Manager after a PoC exploit was made public. https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/ https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html Trend Micro Apex One Vulnerability Trend Micro released an emergency patch for an actively exploited pre-authentication remote code execution vulnerability in the Apex One management console. https://success.trendmicro.com/en-US/solution/KA-0020652

Stealing Machinekeys for fun and profit (or riding the SharePoint wave) Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost. https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wave%29/32174 Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives Perplexity will change its User Agent, or use different originating IP addresses, if it detects being blocked from scanning websites https://blog.cloudflare.com/perplexity-is-using-stealth-undeclared-crawlers-to-evade-website-no-crawl-directives/ Gen 7 SonicWall Firewalls SSLVPN Recent Threat Activity Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled. https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

Daily Trends Report A new trends report will bring you daily data highlights via e-mail. https://isc.sans.edu/diary/New%20Feature%3A%20Daily%20Trends%20Report/32170 NVidia Triton RCE Wiz found an interesting information leakage vulnerability in NVidia s Triton servers that can be leveraged to remote code execution. https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server Cursor AI MCP Vulnerability An attacker could abuse negligent Cursor MCP configurations to implement backdoors into developer machines. https://www.aim.security/lp/aim-labs-curxecute-blogpost

Scans for pop3user with guessable password A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled. https://isc.sans.edu/diary/Legacy%20May%20Kill/32166 Possible Sonicwall SSL VPN 0-Day Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated. https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/ PAM Based Linux Backdoor For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks. https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

Scattered Spider Related Domain Names A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162 Excel External Workbook Links to Blocked File Types Will Be Disabled by Default Excel will discontinue allowing links to dangerous file types starting as early as October. https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58 CISA Releases Thorium CISA announced that it released its malware analysis platform, Thorium, as open-source software. https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome. https://nvd.nist.gov/vuln/detail/CVE-2025-6558 Scattered Spider Update CISA released an update for its report on Scattered Spider, noting that the group also calls helpdesks impersonating users, not just the other way around. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

Apple Updates Everything: July 2025 Edition Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems. https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154 Python Triage A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise. https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/ PaperCut Attacks CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list. https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog

Parasitic SharePoint Exploits We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers. https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148 Cisco ISE Vulnerability Exploited A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user. https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability MyAsus Vulnerablity The MyAsus tool does not store its access tokens correctly, potentially providing an attacker with access to sensitive functions https://www.asus.com/content/security-advisory/

Linux Namespaces Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed. https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144 Coyote in the Wild: First-Ever Malware That Abuses UI Automation Akamai identified malware that takes advantage of Microsoft s UI Automation Framework to programatically interact with the user s system and steal credentials. https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild Testing REST APIs with Autoswagger The tool Autoswagger can be used to automate the testing of REST APIs following the OpenAPI/Swagger standard. https://github.com/intruder-io/autoswagger/

New File Integrity Tool: ficheck.py Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions. https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136 Mitel Vulnerability Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges. https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 SonicWall SMA 100 Vulnerability SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

Reversing SharePoint Toolshell Exploits CVE-2025-53770 and CVE-2025-53771 A quick walk-through showing how to decode the payload of recent SharePoint exploits https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138 Compromised JavaScript NPM is Package The popular npm package is was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours. https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack Microsoft Quick Machine Recovery Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft. https://learn.microsoft.com/en-gb/windows/configuration/quick-machine-recovery/?tabs=intune

Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771 Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ WinZip MotW Privacy Starting with version 7.10, WinZip introduced an option to no longer include the download URL in zip files as part of the Mark of the Web (MotW). https://isc.sans.edu/diary/WinRAR%20MoTW%20Propagation%20Privacy/32130 Interlock Ransomware Several government agencies collaborated to create an informative and comprehensive overview of the Interlock ransomware. Just like prior writeups, this writeup is very informative, including many technical details useful to detect and block this ransomware. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a Sophos Firewall Updates Sophos patched five different vulnerabilities in its firewalls. Two of them are critical, but these only affect a small percentage of users. https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771 Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ How Quickly Are Systems Patched? Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough. https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126 HP Enterprise Instant On Access Points Vulnerability HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced. While reviewing Microsoft s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535. https://www.varonis.com/blog/applocker-bypass-risks Ghost Crypt Malware Leverages Zoho WorkDrive The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations. https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis

SharePoint Servers Exploited via 0-day CVE-2025-53770 Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited. https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/ Veeam Voicemail Phishing Attackers appear to impersonate VEEAM in recent voicemail-themed phishing attempts. https://isc.sans.edu/diary/Veeam%20Phishing%20via%20Wav%20File/32120 Passkey Phishing Attack A currently active phishing attack takes advantage of the ability to use QR codes to complete the Passkey login procedure https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/

Hiding Payloads in Linux Extended File Attributes Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data. https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116 Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282 An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco s Identity Services Engine. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 Oracle Critical Patch Update Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher. https://www.oracle.com/security-alerts/cpujul2025.html Broadcom releases VMware Updates Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

More Free File Sharing Services Abuse The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112 Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices are compromised because credentials were leaked during prior attacks. The attacker installs the OVERSTEP backdoor after compromising the device. https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor Weaponizing Trust in File Rendering Pipelines RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust mechanisms and background processing in file systems, email clients, antivirus tools, and graphical user interfaces to deliver payloads without requiring any user interaction. https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/

Keylogger Data Stored in an ADS Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108 Malvertising Homebrew An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker s GitHub repo. https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM LRQA have discovered a critical unauthenticated remote code execution (RCE) vulnerability in the Broadcom Symantec Altiris Inventory Rule Management (IRM) component of Symantec Endpoint Management. https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/ Code highlighting with Cursor AI for $500,000 A syntax highlighting extension for Cursor AI was used to compromise a developer s workstation and steal $500,000 in cryptocurrency. https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/

DShield Honeypot Log Volume Increase Within the last few months, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from Jesse s residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that Jesse runs. https://isc.sans.edu/diary/DShield+Honeypot+Log+Volume+Increase/32100 Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware. Koi Security s investigation of a single verified color picker exposed a coordinated campaign of 18 malicious extensions that infected a massive 2.3 million users across Chrome and Edge. https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5 RDP Forensics Comprehensive overview of Windows RDP Forensics https://medium.com/@mathias.fuchs/chasing-ghosts-over-rdp-lateral-movement-in-tiny-bitmaps-328d2babd8ec

Experimental Suspicious Domain Feed Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes. https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102 Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812 Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ FortiWeb Pre-Auth RCE (CVE-2025-25257) An exploit for the FortiWeb RCE Vulnerability is now available and is being used in the wild. https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce NVIDIA Vulnerable to Rowhammer NVIDIA has received new research related to the industry-wide DRAM issue known as Rowhammer . The research demonstrates a potential Rowhammer attack against an NVIDIA A6000 GPU with GDDR6 Memory. The purpose of this notice is to reinforce already known mitigations to Rowhammer attacks. https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025

SSH Tunneling in Action: direct-tcp requests Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks. https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094 Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257) An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. https://www.fortiguard.com/psirt/FG-IR-25-151 Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface. https://kb.cert.org/vuls/id/613753

Setting up Your Own Certificate Authority for Development: Why and How. Some tips on setting up your own internal certificate authority using the smallstep CA. https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092 Animation-Driven Tapjacking on Android Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications. https://taptrap.click/usenix25_taptrap_paper.pdf Adobe Patches Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion that include code execution and arbitrary file disclosure vulnerabilities. https://helpx.adobe.com/security/security-bulletin.html