SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Tuesday Mar 18th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

Mar 18, 2025

Dive into the world of cyber threats as they decode GUID-encoded shellcode linked to malware, revealing insights into Cobalt Strike. Explore a critical authentication bypass vulnerability found in Node.js libraries, prompting urgent fixes. Discover a new deserialization flaw in Tomcat that's already under attack, raising alarms about its Java similarities. Lastly, learn how attackers exploit CSS for stealthy user tracking and detection evasion, showcasing the ever-evolving landscape of cyber security.

07:03

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

The enhancement of the Python script 1768.py simplifies the extraction of Cobalt Strike configuration from GUID encoded shellcode, aiding malware analysis.

Recent vulnerabilities in Node.js and Tomcat expose critical security risks, highlighting the need for immediate patching and improved security protocols.

Deep dives

Decoding Cobalt Strike Beacons

A new enhancement in the Python script 1768.py allows for decoding Cobalt Strike beacons encoded as UUIDs, streamlining the process of extracting valuable information such as serial numbers from malware. This adjustment not only aids in attribution but also validates that the specific instance is indeed Cobalt Strike. The significance of this improvement lies in its simplicity, enabling researchers to utilize a straightforward script to decode these beacons effectively. The script's name, derived from the melting point of cobalt in Kelvin, reflects a unique connection to the tool's purpose and the material itself.

Vulnerabilities in Cobalt Strike and Node.js XML Crypto Library

3min

Exploiting Vulnerabilities: From Tomcat to Email Security

4min

Static Analysis of GUID Encoded Shellcode
Didier explains how to decode shell code embeded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobal Strike configuration information from the code.
https://isc.sans.edu/diary/Static%20Analysis%20of%20GUID%20Encoded%20Shellcode/31774
SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries
xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities.
https://workos.com/blog/samlstorm
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild
A just made public deserialization vulnerablity in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserializtion vulnerabilities.
https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/ CVE-2025-24813
CSS Abuse for Evasion and Tracking
Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users
https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Tuesday Mar 18th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Decoding Cobalt Strike Beacons

Vulnerabilities in SAML and Apache Tomcat

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights