SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Monday, April 21st: MSFT Entra Lockouts; Erlang/OTP SSH Exploit; Sonicwall Exploit; bubble.io bug

Apr 21, 2025

Discussions take a deep dive into a recent wave of account lockouts caused by Microsoft Entra's new security feature, sparking chaos among users. An exploit targeting Erlang/OTP SSH vulnerabilities raises alarms with easy remote code execution. Sonicwall devices are under threat from an older command injection exploit after brute-force access. Finally, an unpatched vulnerability in bubble.io exposes projects to potential breaches, underscoring the need for vigilance in cybersecurity.

07:31

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Microsoft Entra's new security feature has led to widespread account lockouts, highlighting the tension between enhancing security and ensuring user accessibility.

A new social engineering tactic using disguised identities on Zoom is emerging, emphasizing the need for user education and better security measures in remote interactions.

Deep dives

Challenges with Microsoft Entra's New Feature

A newly implemented feature in Microsoft Entra aims to enhance account security by flagging and locking accounts with compromised credentials. However, this has resulted in significant disruptions, with reports indicating that about one-third of accounts were flagged erroneously. The challenge for administrators lies in balancing user security with operational sustainability, as a large number of locked accounts can overwhelm customer support. While updating user passwords is a recommended response, finding immediate workarounds is crucial to maintain business continuity during this incident.

Security Concerns: Microsoft Entra Lockouts and No-Code Exploits

8min

Microsoft Entra User Lockout
Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised.
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability
Erlang/OTP SSH Exploit
An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution.
https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb
Sonicwall Exploited
An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
Unpatched Vulnerability in Bubble.io
An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site.
https://github.com/demon-i386/pop_n_bubble

Remember Everything You Learn from Podcasts

Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Monday, April 21st: MSFT Entra Lockouts; Erlang/OTP SSH Exploit; Sonicwall Exploit; bubble.io bug

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Challenges with Microsoft Entra's New Feature

Social Engineering Tactics in Remote Access

Remember Everything You Learn from Podcasts