SANS Stormcast Tuesday, June 24th, 2025: Ichano ATHome IP Camera Scans; Netscaler Vulnerability; WinRar Vulnerability
Scans for Ichano AtHome IP Cameras
A couple days ago, a few sources started scanning for the username super_yg and the password 123. This is associated with Ichano IP Camera software.
https://isc.sans.edu/diary/Scans%20for%20Ichano%20AtHome%20IP%20Cameras/32062
Critical Netscaler Security Update CVE-2025-5777
CVE 2025-5777 is a critical severity vulnerability impacting NetScaler Gateway, i.e. if NetScaler has been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console/
WinRar Vulnerability CVE-2025-6218
WinRar may be tricked into extracting files into attacker-determined locations, possibly leading to remote code execution
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9
--------
5:04
SANS Stormcast Monday, June 23rd, 2025: ADS and Python; More Secure Cloud PCs; Zend.to Path Traversal; Parser Differentials
ADS & Python Tools
Didier explains how to use his tools cut-bytes.py and filescanner to extract information from alternate data streams.
https://isc.sans.edu/diary/ADS%20%26%20Python%20Tools/32058
Enhanced security defaults for Windows 365 Cloud PCs
Microsoft announced more secure default configurations for its Windows 365 Cloud PC offerings.
https://techcommunity.microsoft.com/blog/windows-itpro-blog/enhanced-security-defaults-for-windows-365-cloud-pcs/4424914
CVE-2025-34508: Another File Sharing Application, Another Path Traversal
Horizon3 reveals details of a recently patched directory traversal vulnerability in zend.to.
https://horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/
Unexpected security footguns in Go's parsers
Go parsers for JSON and XML are not always compatible and can parse data in unexpected ways. This blog by Trails of Bits goes over the various security implications of this behaviour.
https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/
--------
5:36
SANS Stormcast Friday, June 20th, 2025: New Employee Phishing; Malicious Tech Support Links; Social Engineering App Sepecific Passwords
How Long Until the Phishing Starts? About Two Weeks
After setting up a Google Workspace and adding a new user, it took only two weeks for the new employee to receive somewhat targeted phishing emails.
https://isc.sans.edu/diary/How%20Long%20Until%20the%20Phishing%20Starts%3F%20About%20Two%20Weeks/32052
Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone numbers
Scammers are placing Google ads that point to legitimate companies sites, but are injecting malicious text into the page advertising fake tech support numbers
https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number
What s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia
Targeted attacks are tricking victims into creating app-specific passwords to Google resources.
https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia
--------
5:46
SANS Stormcast Monday, June 16th, 2025: Extracting Data from JPEG; Windows Recall Export; Anubis Wiper; Mitel Vuln and PoC
Extracting Data From JPEGs
Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py
https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048
Windows Recall Export in Europe
In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled.
https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11-insider-preview-build-26120-4441-beta-channel/
Anubis Ransomware Now Wipes Data
The Anubis ransomware, usually known for standard double extortion, is now also wiping data preventing any recovery even if you pay the ransom.
https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html
Mitel Vulnerabilities CVE-2025-47188
Mitel this week patched a critical path traversal vulnerability (sadly, no CVE), and Infoguard Labs published a PoC exploit for an older file upload vulnerability.
https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/ https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007
--------
5:46
SANS Stormcast Monday, June 16th, 2025: Katz Stealer in JPG; JavaScript Attacks; Reviving expired Discord Invites for Evil
Katz Stealer in JPG
Xavier found some multistage malware that uses an Excel Spreadsheet and an HTA file to load an image that includes embeded a copy of Katz stealer.
https://isc.sans.edu/diary/More+Steganography/32044
https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/
JavaScript obfuscated with JSF*CK is being used on over 200,000 websites to direct victims to malware
Expired Discord Invite Links Used for Malware Distribution
Expired discord invite links are revived as vanity links to direct victims to malware sites
https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/
O SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Słuchaj SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast), Raport o stanie świata Dariusza Rosiaka i wielu innych podcastów z całego świata dzięki aplikacji radio.pl