Sign up to save your podcastsEmail addressPasswordRegisterOrContinue with GoogleAlready have an account? Log in here.
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minutes long summary of cur... more
FAQs about SANS Stormcast: Daily Cyber Security News:How many episodes does SANS Stormcast: Daily Cyber Security News have?The podcast currently has 1,027 episodes available.
May 16, 2025SANS Stormcast Friday, May 16th: Increase in Sonicwall Scans; RVTools Compromised?; RountPress Web Scanning SonicWall for CVE-2021-20016 - Update Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from Global Host , a low-cost virtual hosting provider.https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952 Google Update Patches Exploited Chrome Flaw Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild.https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.htmlhttps://x.com/slonser_/status/1919439373986107814 RVTools Bumblebee Malware Attack Zerodaylabs published its analysis of the RV-Tools Backdoor attack. It suggests that this may not be solely a search engine optimization campaign directing victims to the malicious installer, but that the RVTools distribution site was compromised.https://zerodaylabs.net/rvtools-bumblebee-malware/ Operation RoundPress ESET Security wrote up a report summarizing recent XSS attacks against open-source webmail systemshttps://www.welivesecurity.com/en/eset-research/operation-roundpress/...more7minPlay
May 15, 2025SANS Stormcast Thursday, May 15th: Google Open Redirects; Adobe, Ivanti, and Samsung patches Another day, another phishing campaign abusing google.com open redirects Google s links from it s maps page to hotel listings do suffer from an open redirect vulnerability that is actively exploited to direct users to phishing pages.https://isc.sans.edu/diary/Another%20day%2C%20another%20phishing%20campaign%20abusing%20google.com%20open%20redirects/31950 Adobe Patches Adobe patched 12 different applications. Of particular interest is the update to ColdFusion, which fixes several arbitrary code execution and arbitrary file read problems.https://helpx.adobe.com/security/security-bulletin.html Samsung Patches magicInfo 9 Again Samsung released a new patch for the already exploited magicInfo 9 CMS vulnerability. While the description is identical to the patch released last August, a new CVE number is used.https://security.samsungtv.com/securityUpdates#SVP-MAY-2025 Ivanti Patches Critical Ivanti Neurons Flaw Ivanti released a patch for Ivanti Neurons for ITSM (on-prem only) fixing a critical authentication bypass vulnerability. Ivanti also points to its guidance to secure the underlying IIS server to make exploitation of flaws like this more difficult...more7minPlay
May 14, 2025SANS Stormcast Wednesday, May 14th: Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products Microsoft Patch Tuesday Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode.https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946 Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428) Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability. The authentication bypass can exploit the remote code execution vulnerability without authenticating first.https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US Fortinet Patches Exploited Vulnerability in API (CVE-2025-32756) Fortinet patched an already exploited stack-based buffer overflow vulnerability in the API of multiple Fortinet products. The vulnerability is exploited via crafted HTTP requests.https://fortiguard.fortinet.com/psirt/FG-IR-25-254...more7minPlay
May 13, 2025SANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans; Apple Updates Everything Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS.https://isc.sans.edu/diary/31942 It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability.https://isc.sans.edu/diary/It%20Is%202025%2C%20And%20We%20Are%20Still%20Dealing%20With%20Default%20IoT%20Passwords%20And%20Stupid%202013%20Router%20Vulnerabilities/31940 Output Messenger Vulnerability The internal messenger application Output Messenger is currently used in sophisticated attacks. Attackers are exploiting a path traversal vulnerability that has not been fixed.https://www.outputmessenger.com/cve-2025-27920/ Commvault Correction Commvault s patch indeed fixes the recent vulnerability. The Pioneer Release Will Dormann used to experiment will only offer patches after it has been registered, which leads to an error when assessing the patch s efficacy. https://www.darkreading.com/application-security/commvault-patch-works-as-intended...more7minPlay
May 12, 2025SANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning Steganography Challenge Didier revealed the solution to last weekend s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed.https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/ FBI Warns of End-of-life routers The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal activities.https://www.ic3.gov/PSA/2025/PSA250507 ASUS Driverhub Vulnerability ASUS Driverhub software does not properly check the origin of HTTP requests, allowing a CSRF attack from any website leading to arbitrary code execution.https://mrbruh.com/asusdriverhub/ RV-Tools SEO Poisoning Varonis Threat Labs observed SEO poisoning being used to trick system administrators into installing a malicious version of RV Tools. The malicious version includes a remote access tool leading to the theft of credentialshttps://www.varonis.com/blog/seo-poisoning#initial-access-and-persistence...more7minPlay
May 09, 2025SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch No Internet Access: SSH to the Rescue If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPNhttps://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932 SAMSUNG magicINFO 9 Server Flaw Still exploitable The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild.https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption SentinelOne s installer is vulnerable to an exploit allowing attackers to shut down the end point protection softwarehttps://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone Commvault Still Exploitable A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systemshttps://infosec.exchange/@wdormann/114458913006792356...more5minPlay
May 08, 2025SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch Example of Modular Malware Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail. https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928 Sysaid XXE Vulnerabilities IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code. https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/ Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication.https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC Unifi Protect Camera Vulnerability Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw.https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc...more6minPlay
May 07, 2025SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning Python InfoStealer with Embedded Phishing Webserver Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites.https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924 Android Update Fixes Freetype 0-Day Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts.https://source.android.com/docs/security/bulletin/2025-05-01 CISA Warns of Unsophistacted Cyber Actors CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks.https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology...more7minPlay
May 06, 2025SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost; Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399 The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far.https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920 New Kali Linux Signing Key The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward.https://www.kali.org/blog/new-kali-archive-signing-key/ The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authenticationhttps://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560...more7minPlay
May 05, 2025SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Mana Steganography Challenge Didier published a fun steganography challenge. A solution will be offered on Saturday.https://isc.sans.edu/diary/Steganography+Challenge/31910 Microsoft Makes Passkeys Default Authentication Method Microsoft is now encouraging new users to use Passkeys as the default and only login method, further moving away from passwordshttps://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/ Microsoft Authenticator Autofill Changes Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6 Backdoor found in popular e-commerce components SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point.https://sansec.io/research/license-backdoor...more6minPlay
FAQs about SANS Stormcast: Daily Cyber Security News:How many episodes does SANS Stormcast: Daily Cyber Security News have?The podcast currently has 1,027 episodes available.