SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements
4 snips
Nov 3, 2025 Beware of rising scans on TCP ports 8530 and 8531, as threat actors target WSUS vulnerabilities. The Australian Signals Directorate warns about the BADCANDY webshell implant exploiting unpatched Cisco IOS XE devices. Meanwhile, Open VSX is ramping up security measures after a troubling incident, introducing improvements like shorter token lifetimes and easier revocation processes. Stay updated and secure in the ever-evolving landscape of cyber threats!
AI Snips
Chapters
Transcript
Episode notes
WSUS Scan Spike Signals Wide Exposure
- Scans for TCP ports 8530 and 8531 spiked dramatically after the WSUS emergency update.
- High-volume scanning indicates exposed WSUS servers are likely already discovered by attackers and researchers.
Treat WSUS Exposures As Already Found
- Do assume exposed WSUS servers have been found and act quickly to patch or remove them from the internet.
- Treat notifications from groups like ShadowServer seriously and follow up promptly.
Old Cisco Flaw Still Yields Persistent Access
- CVE-2023-20198 remains exploited years later on Cisco IOS XE devices, enabling persistent implants like BADCANDY.
- Long-unpatched devices are de facto compromises and attractive targets for high-profile actors.