SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

A new steganography challenge has listeners decoding hidden messages, with solutions to come soon. Microsoft is pushing Passkeys as the default login method, aiming for a password-free future. Big changes are on the horizon as Microsoft Authenticator will no longer serve as a password safe, shifting users to Edge's password prefill. Meanwhile, alarm bells ring as backdoors in Magento components are discovered, activating after years of dormancy, raising questions about vendor security.

Discover the secrets of steganography as techniques for extracting hidden data from images are unveiled. Learn about a new trend where malicious Python packages exploit Gmail for command and control, posing serious risks to developers. Delve into the alarming tactics used by a French threat actor, targeting property management firms to divert tenant rent payments. This insightful discussion sheds light on pressing cybersecurity challenges and offers strategies for better protection.

Recent scans targeting SonicWall vulnerabilities are skyrocketing, possibly linked to brute force attacks. An alarming IPv6-based malware tactic has emerged where attackers use spoofed DNS servers to deliver malicious updates. Additionally, a significant flaw in Windows Remote Desktop Protocol may allow logins using outdated credentials, raising pressing security concerns. Technology enthusiasts and security experts alike will find these breaking developments both intriguing and alarming.

More Scans for SMS Gateways and APIs Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people s credentials. https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902 AirBorne: AirPlay Vulnerabilities Researchers at Oligo revealed over 20 weaknesses they found in Apple s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates. https://www.oligo.security/blog/airborne

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data. https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896 Novel Universal Bypass For All Major LLMS Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models. The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy. https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/ CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it. https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf SANS @RSA: https://www.sans.org/mlp/rsac/

Explore the intriguing world of image steganography, where malware hides within images to bypass network security. Discover a serious vulnerability in SAP NetWeaver, allowing unauthorized file uploads and system access. Recent reports reveal exploitation attempts and the confusion caused by MS Defender's false positives, leading to sensitive document uploads. This episode emphasizes the importance of protecting personal data while navigating malware analysis tools.

Attacks against Teltonika Networks SMS Gateways Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords. https://isc.sans.edu/diary/Attacks%20against%20Teltonika%20Networks%20SMS%20Gateways/31888 Commvault Vulnerability CVE-2205-34028 Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ Exploitation Trends Q1 2025 Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available. https://vulncheck.com/blog/exploitation-trends-q1-2025 inetpub directory issues The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad. https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

Discover the intricacies of maintaining a honeypot and the importance of dynamic configurations to keep your security measures sharp. Learn about a serious breach in the XRPL.js library, which allowed attackers to steal secret keys through malicious updates. The podcast also highlights a critical vulnerability in the Erlang/OTP SSH library affecting Cisco equipment, emphasizing the urgent need for patches and security vigilance in the tech community.

Discover the latest advancements in cybersecurity tools, including the innovative uses of ad hoc YARA rules for simplified threat detection. Dive into a chilling discussion on a DKIM replay attack that successfully spoofed Google by reusing signatures. The vulnerabilities in SSL.com’s email validation process raise concerns about webmail security and certificate issuance. This podcast delves into these critical topics that shape the future of online safety.

It's 2025, so why are malicious advertising URLs still going strong? Phishing attacks continue to take advantage of Google s advertising services. Sadly, this is still the case for obviously malicious links, even after various anti-phishing services flag the URL. https://isc.sans.edu/diary/It%27s%202025...%20so%20why%20are%20obviously%20malicious%20advertising%20URLs%20still%20going%20strong%3F/31880 ChatGPT Fingerprinting Documents via Unicode ChatGPT apparently started leaving fingerprints in texts, which it creates by adding invisible Unicode characters like non-breaking spaces. https://www.rumidocs.com/newsroom/new-chatgpt-models-seem-to-leave-watermarks-on-text Asus AI Cloud Security Advisory Asus warns of a remote code execution vulnerability in its routers. The vulnerability is related to the AI Cloud feature. If your router is EoL, disabling the feature will mitigate the vulnerability https://www.asus.com/content/asus-product-security-advisory/ PyTorch Vulnerability PyTorch fixed a remote code execution vulnerability exploitable if a malicious model was loaded. This issue was exploitable even with the weight_only=True" setting selected https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6