SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Tuesday Mar 18th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

Mar 18, 2025

Dive into the world of cyber threats as they decode GUID-encoded shellcode linked to malware, revealing insights into Cobalt Strike. Explore a critical authentication bypass vulnerability found in Node.js libraries, prompting urgent fixes. Discover a new deserialization flaw in Tomcat that's already under attack, raising alarms about its Java similarities. Lastly, learn how attackers exploit CSS for stealthy user tracking and detection evasion, showcasing the ever-evolving landscape of cyber security.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ADVICE

Decoding Cobalt Strike Beacons

Use Didier Stevens's 1768.py script to decode Cobalt Strike beacons embedded as UUIDs in malware.
This helps extract information like serial numbers, useful for attribution and confirming Cobalt Strike presence.

INSIGHT

Node.js SAML Vulnerability

The xml-crypto library in Node.js, used for SAML, has a vulnerability similar to one found in Ruby.
It incorrectly parses comments in SAML messages, potentially allowing privilege escalation or authentication bypass.

ADVICE

Patch Tomcat Vulnerability

Patch Apache Tomcat immediately due to a critical deserialization vulnerability (CVE-2025-24813).
This easily exploitable flaw allows code execution via PUT requests when Tomcat uses file-based session IDs.

Get the Snipd Podcast app to discover more snips from this episode

Get the app