The end of an era: Properly formatted IP addresses in all of our data.
When initiall designing DShield, addresses were zero padded , an unfortunate choice. As of this week, datafeeds should no longer be zero padded .
https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228
.desktop files used in an attack against Linux Desktops
Pakistani attackers are using .desktop files to target Indian Linux desktops.
https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A go module advertising its ability to quickly brute force passwords against random IP addresses, has been used to exfiltrate credentials from the person running the module.
https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials
Limiting Onmicrosoft Domain Usage for Sending Emails
Microsoft is limiting how many emails can be sent by Microsoft 365 users using the onmicrosoft.com domain.
https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167

Don't Forget The "-n" Command Line Switch
Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks.
https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220
watchTowr releases details about recent Commvault flaws
Users of the Commvault enterprise backup solution must patch now after watchTowr released details about recent vulnerabilities
https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/?123
Docker Desktop Vulnerability CVE-2025-9074
A vulnerability in Docker Desktop allows attackers to escape from containers to attack the host.
https://docs.docker.com/desktop/release-notes/#4443

Airtel Router Scans and Mislabeled Usernames
A quick summary of some odd usernames that show up in our honeypot logs
https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216
Apple Patches 0-Day CVE-2025-43300
Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO.
https://support.apple.com/en-us/124925
Microsoft Copilot Audit Logs
A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file
https://pistachioapp.com/blog/copilot-broke-your-audit-log
Password Managers Susceptible to Clickjacking
Many password managers are susceptible to clickjacking, and only few have fixed the problem so far
https://marektoth.com/blog/dom-based-extension-clickjacking/

Increased Elasticsearch Recognizance Scans
Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard.
https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212
Microsoft Patch Tuesday Issues
Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc
https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot
SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999
Details explaining how to take advantage of two SAP vulnerabilities were made public
https://onapsis.com/blog/new-exploit-for-cve-2025-31324/

Keeping an Eye on MFA Bombing Attacks
Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem.
https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208
Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability
An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
F5 Access for Android vulnerability
An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack.
https://my.f5.com/manage/s/article/K000152049

SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations
Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks.
https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%205G%20Traffic%20Without%20Rogue%20Base%20Stations/32202
Plex Vulnerability
Plex patched a vulnerability in the Plex Media Server. Make sure you have updated to at least 1.42.1.
https://forums.plex.tv/t/plex-media-server-security-update/928341
FortiWeb Exploit Public
A security researcher published details about the recent FortiWeb vulnerability, including demonstrating a PoC exploit.
https://www.bleepingcomputer.com/news/security/researcher-to-release-exploit-for-full-auth-bypass-on-fortiweb/
Flowise OS vulnerability
https://research.jfrog.com/vulnerabilities/flowise-os-command-remote-code-execution-jfsa-2025-001380578/

AI and Faster Attack Analysis
A few use cases for LLMs to speed up analysis
https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198
Proxyware Malware Being Distributed on YouTube Video Download Site
Popular YouTube download sites will attempt to infect users with proxyware.
https://asec.ahnlab.com/en/89574/
Xerox Freeflow Core Vulnerability
Horizon3.ai discovered XXE Injection (CVE-2025-8355) and Path Traversal (CVE-2025-8356) vulnerabilities in Xerox FreeFlow Core, a print orchestration platform. These vulnerabilities are easily exploitable and enable unauthenticated remote attackers to achieve remote code execution on vulnerable FreeFlow Core instances.
https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/
SANS.edu Research: Darren Carstensen Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing
Not all Zero Trust Network Access (ZTNA) solutions are created equal, and despite bold marketing claims, many fall short of delivering proper Zero Trust security.
https://www.sans.edu/cyber-research/evaluating-zero-trust-network-access-framework-comparative-security-testing/

CVE-2017-11882 Will Never Die
The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email.
https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196
Windows Kerberos Elevation of Privilege Vulnerability
Yesterday, Microsoft released a patch for a vulnerability that had already been made public. This vulnerability refers to the privilege escalation taking advantage of a path traversal issue in Windows Kerberos affecting Exchange Server in hybrid mode.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53779
Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images
Some old Debian Docker images containing the xz-utils backdoor are still available for download from Docker Hub via the official Debian account.
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images
FortiSIEM / FortiWeb Vulnerablities
Fortinet patched already exploited vulnerabilities in FortiWeb and FortiSIEM
https://fortiguard.fortinet.com/psirt/FG-IR-25-152
https://fortiguard.fortinet.com/psirt/FG-IR-25-448

Microsoft Patch Tuesday
https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192
https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
libarchive Vulnerability
A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression software across various operating systems, making this a difficult vulnerability to patch
https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc
Adobe Patches
Adobe released patches for 13 different products.
https://helpx.adobe.com/security/Home.html

Erlang OTP SSH Exploits
A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed.
https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/
WinRAR Exploited
WinRAR vulnerabilities are actively being exploited by a number of threat actors. The vulnerability allows for the creation of arbitrary files as the archive is extracted.
https://thehackernews.com/2025/08/winrar-zero-day-under-active.html
Citrix Netscaler Exploit Updates
The Dutch Center for Cyber Security is updating its guidance on recent Citrix Netscaler attacks. Note that the attacks started before a patch became available, and attackers are actively hiding their tracks to make it more difficult to detect a compromise.
https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/
OpenSSH Post Quantum Encryption
Starting in version 10.1, OpenSSH will warn users if they are using quantum-unsafe algorithms
https://www.openssh.com/pq.html