SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

A critical vulnerability in Next.js could allow unauthorized access, raising alarms about middleware verification. The need for immediate patching is emphasized to protect applications. Meanwhile, Microsoft's Trust Signing Service is exploited by attackers to generate signatures for malware. This alarming trend sheds light on the potential dangers of poor verification processes in software development. Understanding these vulnerabilities is crucial for maintaining robust cybersecurity practices.

Discover the latest on data feeds and the impact of a recent SEO scam targeting bloggers. Learn about Veeam's alarming deserialization vulnerability and the insufficient patch that remains a concern. Dive into the critical security risks surrounding IBM's AIX operating system, where an unauthenticated remote code execution vulnerability poses serious threats. Stay informed and boost your cyber vigilance with these essential updates!

Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 CVE-2024-20440 Attackers added last September's Cisco Smart Licensing Utility vulnerability to their toolset. These attacks orginate most likely from botnets and the same attackers are scanning for a wide range of additional vulnerabilities. The vulnerability is a static credential issue and trivial to exploit after the credentials were published last fall. https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Cisco%20Smart%20Licensing%20Utility%20CVE-2024-20439%20and%20CVE-2024-20440/31782 Legacy Driver Exploitation Through Bypassing Certificate Verification Ahnlab documented a new type of "bring your own vulnerable driver" vulnerability. In this case, an old driver used by an anit-malware and anti-rootkit system can be used to shut down arbitrary processeses, including security related processeses. https://asec.ahnlab.com/en/86881/ Synology Vulnerability Updates Synology updates some security advisories it release last year adding addition details and vulnerable systems. https://www.synology.com/en-global/security/advisory/Synology_SA_24_20 https://www.synology.com/en-global/security/advisory/Synology_SA_24_24

Python Bot Delivered Through DLL Side-Loading A "normal", but vulnerable to DLL side-loading PDF reader may be used to launch additional exploit code https://isc.sans.edu/diary/Python%20Bot%20Delivered%20Through%20DLL%20Side-Loading/31778 Tomcat RCE Correction To exploit the Tomcat RCE I mentioned yesterday, two non-default configuration options must be selected by the victim. https://x.com/dkx02668274/status/1901893656316969308 SAML Roulette: The Hacker Always Wins This Portswigger blog explains in detail how to exploit the ruby-saml vulnerablity against GitLab. https://portswigger.net/research/saml-roulette-the-hacker-always-wins Windows Shortcut Zero Day Exploit Attackers are currently taking advantage of an unpatched vulnerability in how Windows displays Shortcut (.lnk file) details. Trendmicro explains how the attack works and provides PoC code. Microsoft is not planning to fix this issue https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

Dive into the world of cyber threats as they decode GUID-encoded shellcode linked to malware, revealing insights into Cobalt Strike. Explore a critical authentication bypass vulnerability found in Node.js libraries, prompting urgent fixes. Discover a new deserialization flaw in Tomcat that's already under attack, raising alarms about its Java similarities. Lastly, learn how attackers exploit CSS for stealthy user tracking and detection evasion, showcasing the ever-evolving landscape of cyber security.

The podcast dives into the latest antics of the Mirai botnet, which hilariously misconfigured a router exploit. A compromised GitHub action raises alarms, leaking sensitive credentials. The discussion also highlights a ruby-saml authentication bypass caused by a parsing blunder. Additionally, it warns developers about fake GitHub security alerts designed to trick them into granting malicious apps OAUTH privileges. Cybersecurity never sounded so intriguing!

Discover how to analyze file hashes using Microsoft's BI tool, unlocking insights from honeypot data. Dive into the recent Apache Camel vulnerability that allows for easy exploitation via query parameters, raising alarms about arbitrary code execution risks. Learn about Juniper's urgent patch for a previously exploited JunOS vulnerability that threatens complete device compromise. Finally, hear about AMI's security advisory addressing multiple vulnerabilities, including a critical authentication bypass in Redfish, rated with a troubling CVSS score of 10.0.

Attackers are probing login pages for Log4j vulnerabilities, including VMWare's HCX REST API. Recent Apple and Microsoft patches are causing issues, potentially reactivating features users wanted off. Adobe has rolled out critical updates to prevent remote code execution in Acrobat. Plus, CISA has shared valuable insights on Medusa Ransomware, while Zoom addresses several serious flaws with a new update. Stay informed about these urgent cybersecurity threats and software patches!

Microsoft just patched six exploited vulnerabilities, including a critical fix for its DNS server. Apple responded with an update for WebKit vulnerabilities affecting iOS and macOS. The podcast also discusses Espressif’s reassurance about their ESP32 chipsets, clarifying that recent claims of 'backdoors' are related to debug commands and not Bluetooth access. Tune in for insights on these essential security updates!

Shellcode Encoded in UUIDs Attackers are using UUIDs to encode Shellcode. The 128 Bit (or 16 Bytes) encoded in each UUID are converted to shell code to implement a cobalt strike beacon https://isc.sans.edu/diary/Shellcode%20Encoded%20in%20UUIDs/31752 Moxa CVE-2024-12297 Expanded to PT Switches Moxa in January first releast an update to address a fronted authorizaation logic disclosure vulnerability. It now updated the advisory and included the PT series switches as vulenrable. https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241408-cve-2024-12297-frontend-authorization-logic-disclosure-vulnerability-identified-in-pt-switches Opentext Insufficently Protected Credentials https://portal.microfocus.com/s/article/KM000037455?language=en_US Livewire Volt API vulnerability https://github.com/livewire/volt/security/advisories/GHSA-v69f-5jxm-hwvv