Episodios

  • SANS Stormcast Wednesday Apr 16th: File Upload Service Abuse; OpenSSH 10.0 Released; Apache Roller Vuln; Possible CVE Changes (#)

    SANS Stormcast Wednesday Apr 16th: File Upload Service Abuse; OpenSSH 10.0 Released; Apache Roller Vuln; Possible CVE Changes (#)
    Apr 16 2025
    SANS Stormcast Wednesday Apr 16th: File Upload Service Abuse; OpenSSH 10.0 Released; Apache Roller Vuln; Possible CVE Changes Online Services Again Abused to Exfiltrate Data Attackers like to abuse free online services that can be used to exfiltrate data. From the “originals”, like pastebin, to past favorites like anonfiles.com. The latest example is gofile.io. As a defender, it is important to track these services to detect exfiltration early https://isc.sans.edu/diary/Online%20Services%20Again%20Abused%20to%20Exfiltrate%20Data/31862 OpenSSH 10.0 Released OpenSSH 10.0 was released. This release adds quantum-safe ciphers and the separation of authentication services into a separate binary to reduce the authentication attack surface. https://www.openssh.com/releasenotes.html#10.0p1 Apache Roller Vulnerability Apache Roller addressed a vulnerability. Its CVSS score of 10.0 appears inflated, but it is still a vulnerability you probably want to address. https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f CVE Funding Changes Mitre’s government contract to operate the CVE system may run out tomorrow. This could lead to a temporary disruption of services, but the system is backed by a diverse board of directors representing many large companies. It is possible that non-government funding sources may keep the system afloat for now. https://www.cve.org/ keywords: cve; mitre; apache; roller; openssh; gofile
    Más Menos
    6 m
  • SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware (#)

    SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware (#)
    Apr 15 2025
    SANS Stormcast Tuesday April 15th: xorsearch Update; Short Lived Certificates; New USB Malware xorsearch Update Diedier updated his "xorsearch" tool. It is now a python script, not a compiled binary, and supports Yara signatures. With Yara support also comes support for regular expressions. https://isc.sans.edu/diary/xorsearch.py%3A%20Searching%20With%20Regexes/31854 Shorter Lived Certificates The CA/Brower Forum passed an update to reduce the maximum livetime of certificates. The reduction will be implemented over the next four years. EFF also released an update to certbot introducing profiles that can be used to request shorter lived certificates. https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI New Malware Harvesting Data from USB drives and infecting them. Kaspersky is reporting that they identified new malware that not only harvests data from USB drives, but also spread via USB drives by replacing existing documents with malicious files. https://securelist.com/goffee-apt-new-attacks/116139/ keywords: goffee; usb; malware; russia; kaspersky; certificates; certbot; eff; xorsearch; yara
    Más Menos
    6 m
  • SANS Stormcast Monday April 14th: Langlow AI Attacks; Fortinet Attack Cleanup; MSFT Inetpub; (#)

    SANS Stormcast Monday April 14th: Langlow AI Attacks; Fortinet Attack Cleanup; MSFT Inetpub; (#)
    Apr 14 2025
    SANS Stormcast Monday April 14th: Langlow AI Attacks; Fortinet Attack Cleanup; MSFT Inetpub; Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248) After spotting individaul attempts to exploit the recent Langflow vulnerability late last weeks, we now see more systematic internet wide scans attempting to verify the vulnerability. https://isc.sans.edu/forums/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/ Fortinet Analysis of Threat Actor Activity Fortinet oberved recent vulnerablities in its devices being used to add a symlink to ease future compromise. The symlink is not removed by prior patches, and Fortinet released additional updates to detect and remove this attack artifact. https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity MSFT Inetpub Microsoft clarrified that its April patches created the inetpub directory on purpose. Users should not remove it. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204#exploitability SANSFIRE https://isc.sans.edu/j/sansfire keywords: sansfire; inetpub; fortinet; langflow
    Más Menos
    7 m
  • SANS Stormcast Friday April 11th: Network Infraxploit; Windows Hello Broken; Dell Update; Langflow Exploit (#)

    SANS Stormcast Friday April 11th: Network Infraxploit; Windows Hello Broken; Dell Update; Langflow Exploit (#)
    Apr 10 2025
    SANS Stormcast Friday April 11th: Network Infraxploit; Windows Hello Broken; Dell Update; Langflow Exploit Network Infraxploit Our undergraduate intern, Matthew Gorman, wrote up a walk through of CVE-2018-0171, an older Cisco vulnerability, that is still actively being exploited. For example, VOLT TYPHOON recently exploited this problem. https://isc.sans.edu/diary/Network+Infraxploit+Guest+Diary/31844 Windows Update Issues / Windows 10 Update Microsoft updated its "Release Health" notes with details regarding issues users experiences with Windows Hello, Citrix, and Roblox. Microsoft also released an emergency update for Office 2016 which has stability problems after applying the most recent update. https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3521 https://support.microsoft.com/en-us/topic/april-10-2025-update-for-office-2016-kb5002623-d60c1f31-bb7c-4426-b8f4-69186d7fc1e5 Dell Updates Dell releases critical updates for it's Powerscale One FS product. In particular, it fixes a default password problem. https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities Langflow Vulnerablity (possible exploit scans sighted) CVE-2025-3248 Langflow addressed a critical vulnerability end of March. This writeup by Horizon3 demonstrates how the issue is possibly exploited. We have so far seen one "hit" in our honeypot logs for the vulnerable API endpoint URL. https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/ keywords: langfow; dell; windows; updates; infraxploit; cisco;
    Más Menos
    6 m
  • SANS Stormcast ThursdayApril 10th: Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide; (#)

    SANS Stormcast ThursdayApril 10th: Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide; (#)
    Apr 9 2025
    SANS Stormcast ThursdayApril 10th: Getting Past PyArmor; CenterStack RCE; Android 0-Day Patch; VMware Tanzu Patches; Odd Win11 Directory; WhatsApp File Confusion; SANS AI Guide; Getting Past PyArmor PyArmor is a python obfuscation tool used for malicious and non-malicious software. Xavier is taking a look at a sample to show what can be learned from these obfuscated samples with not too much work. https://isc.sans.edu/diary/Obfuscated%20Malicious%20Python%20Scripts%20with%20PyArmor/31840 CenterStack RCE CVE-2025-30406 Gladinet’s CenterStack secure file-sharing software suffers from an inadequately protected machine key vulnerability that can be used to modify ViewState data. This vulnerability may lead to remote code execution, which is already exploited. https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf Google Patches two zero-day vulnerabilities CVE-2024-53150 CVE-2024-53197 Google released its monthly patches for Android. Two of the patched vulnerabilities are already exploited. One of them was used by Serbian law enforcement. https://www.malwarebytes.com/blog/news/2025/04/google-fixes-two-actively-exploited-zero-day-vulnerabilities-in-android Broadcom VMWare Tenzu Updates Broadcom released updates for VMWare Tenzu. Many vulnerabilities affect the backup component and allow for arbitrary command execution. https://support.broadcom.com/web/ecx/security-advisory? Windows 11 April Update ads inetpub directory The April Windows 11 update appears to create a new /inetpub directory. It is unclear why, and removing it appears to have no bad effects. https://www.bleepingcomputer.com/news/microsoft/windows-11-april-update-unexpectedly-creates-new-inetpub-folder/ WhatsApp File Type Confusion/Spoofing WhatsApp patched a file type confusion vulnerability. A victim may be tricked into downloading n https://www.whatsapp.com/security/advisories/2025/ SANS Critical AI Security Guidelines https://www.sans.org/mlp/critical-ai-security-guidelines keywords: sans; ai; guidelines; whatsapp; inetpub; vmware; tenzu; google; android; 0-day; centerstrack; pyarmor
    Más Menos
    7 m
  • SANS Stormcast Tuesday, April 8th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet (#)

    SANS Stormcast Tuesday, April 8th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet (#)
    Apr 9 2025
    SANS Stormcast Tuesday, April 8th: Microsoft Patch Tuesday; Adobe Patches; OpenSSL 3.5 with PQC; Fortinet Microsoft Patch Tuesday Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited. https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838 Adobe Updates Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical. https://helpx.adobe.com/security/security-bulletin.html OpenSSL 3.5 Released OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release. https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA Fortiswitch Update Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification. https://fortiguard.fortinet.com/psirt/FG-IR-24-435 keywords: fortinet; fortiswitch; adobe; commerce; coldfusion; microsoft; patches
    Más Menos
    7 m
  • SANS Stormcast Tuesday, April 8th: (#)

    SANS Stormcast Tuesday, April 8th: (#)
    Apr 8 2025
    SANS Stormcast Tuesday, April 8th: XORsearch: Searching With Regexes Didier explains a workaround to use his tool XORsearch to search for regular expressions instead of simple strings. https://isc.sans.edu/diary/XORsearch%3A%20Searching%20With%20Regexes/31834 MCP Security Notification: Tool Poisoning Attacks Invariant labs summarized a critical weakness in the Model Context Protocol (MCP) that allows for "Tool Poisoning Attacks." Many major providers such as Anthropic and OpenAI, workflow automation systems like Zapier, and MCP clients like Cursor are susceptible to this attack https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks Making :visited more private Google Chrome changed how links are marked as “visited”. This new “partitioning” scheme was introduced to improve privacy. Instead of marking a link as “visited” on any page where it is displayed, it is only marked as visited if the user clicks on the link while visiting the particular site where the link is displayed. https://developer.chrome.com/blog/visited-links keywords: xorsearch; regular expression; regex; mcp; agentic; model context protocol; vistied; chrome; privacy
    Más Menos
    6 m
  • SANS Stormcast Monday April 7th 2025: New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling (#)

    SANS Stormcast Monday April 7th 2025: New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling (#)
    Apr 6 2025
    SANS Stormcast Monday April 7th 2025: New Username Report; Quickshell Vulnerability; Apache Traffic Director Request Smuggeling New SSH Username Report A new ssh/telnet username reports makes it easier to identify new usernames attackers are using against our telnet and ssh honeypots https://isc.sans.edu/diary/New%20SSH%20Username%20Report/31830 Quickshell Sharing is Caring: About an RCE Attack Chain on Quick Share The Google Quick Share protocol is susceptible to several vulnerabilities that have not yet been fully patched, allowing for some file overwrite issues that could lead to the accidental execution of malicious code. https://www.blackhat.com/asia-25/briefings/schedule/index.html#quickshell-sharing-is-caring-about-an-rce-attack-chain-on-quick-share-43874 Apache Traffic Director Request Smuggling Vulnerability https://www.openwall.com/lists/oss-security/2025/04/02/4 keywords: apache; request smuggling; quickshell; quick share; ssh; usernames
    Más Menos
    6 m
adbl_web_global_use_to_activate_webcro768_stickypopup