Stealing Machinekeys for fun and profit (or riding the SharePoint wave)
Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost.
https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wave%29/32174
Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives
Perplexity will change its User Agent, or use different originating IP addresses, if it detects being blocked from scanning websites
https://blog.cloudflare.com/perplexity-is-using-stealth-undeclared-crawlers-to-evade-website-no-crawl-directives/
Gen 7 SonicWall Firewalls SSLVPN Recent Threat Activity
Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled.
https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

Daily Trends Report
A new trends report will bring you daily data highlights via e-mail.
https://isc.sans.edu/diary/New%20Feature%3A%20Daily%20Trends%20Report/32170
NVidia Triton RCE
Wiz found an interesting information leakage vulnerability in NVidia s Triton servers that can be leveraged to remote code execution.
https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server
Cursor AI MCP Vulnerability
An attacker could abuse negligent Cursor MCP configurations to implement backdoors into developer machines.
https://www.aim.security/lp/aim-labs-curxecute-blogpost

Scans for pop3user with guessable password
A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled.
https://isc.sans.edu/diary/Legacy%20May%20Kill/32166
Possible Sonicwall SSL VPN 0-Day
Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
PAM Based Linux Backdoor
For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

Scattered Spider Related Domain Names
A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains
https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162
Excel External Workbook Links to Blocked File Types Will Be Disabled by Default
Excel will discontinue allowing links to dangerous file types starting as early as October.
https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58
CISA Releases Thorium
CISA announced that it released its malware analysis platform, Thorium, as open-source software.
https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

Securing Firebase: Lessons Re-Learned from the Tea Breach
Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues
https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158
WebKit Vulnerability Exploited before Apple Patch
A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome.
https://nvd.nist.gov/vuln/detail/CVE-2025-6558
Scattered Spider Update
CISA released an update for its report on Scattered Spider, noting that the group also calls helpdesks impersonating users, not just the other way around.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

Apple Updates Everything: July 2025 Edition
Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems.
https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154
Python Triage
A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise.
https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/
PaperCut Attacks
CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list.
https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog

Parasitic SharePoint Exploits
We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers.
https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148
Cisco ISE Vulnerability Exploited
A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user.
https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability
MyAsus Vulnerablity
The MyAsus tool does not store its access tokens correctly, potentially providing an attacker with access to sensitive functions
https://www.asus.com/content/security-advisory/

Linux Namespaces
Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed.
https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144
Coyote in the Wild: First-Ever Malware That Abuses UI Automation
Akamai identified malware that takes advantage of Microsoft s UI Automation Framework to programatically interact with the user s system and steal credentials.
https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild
Testing REST APIs with Autoswagger
The tool Autoswagger can be used to automate the testing of REST APIs following the OpenAPI/Swagger standard.
https://github.com/intruder-io/autoswagger/

New File Integrity Tool: ficheck.py
Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions.
https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136
Mitel Vulnerability
Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges.
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009
SonicWall SMA 100 Vulnerability
SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

Reversing SharePoint Toolshell Exploits CVE-2025-53770 and CVE-2025-53771
A quick walk-through showing how to decode the payload of recent SharePoint exploits
https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138
Compromised JavaScript NPM is Package
The popular npm package is was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours.
https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack
Microsoft Quick Machine Recovery
Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft.
https://learn.microsoft.com/en-gb/windows/configuration/quick-machine-recovery/?tabs=intune