SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, September 18th, 2025: DLL Hooking; Entra ID Actor Tokens; Watchguard and NVidia Patches

4 snips

Sep 18, 2025

Discover the clever CTRL-Z DLL hooking technique that malware uses to dodge analysis by overwriting breakpoints. Learn about a serious vulnerability in Entra ID allowing global admin access and hear about the critical patches released by Microsoft. There's also a discussion on WatchGuard's out-of-bounds write flaw and NVIDIA's fixes for vulnerabilities in its Triton Inference Server. Tune in for the latest updates in cyber security!

Ask episode

AI Snips

Chapters

Transcript

Episode notes

ANECDOTE

Malware Reloads DLLs To Evade Breakpoints

Xavier found malware that reloads DLLs to remove analyst breakpoints during reverse engineering.
The sample looked like prototype ransomware written in Python that uses this reload trick.

INSIGHT

Actor Tokens Broke Tenant Isolation

Dirk‑Jan Mollema disclosed an Entra ID actor token flaw that could let one tenant impersonate users in another tenant.
The bug shows how complex cloud service-to-service tokens can break isolation if not validated correctly.

ADVICE

Patch WatchGuard Firebox If Using IPsec

If you run WatchGuard Firebox with IPsec VPNs, apply the vendor's patch immediately to fix CVE‑2025‑9242.
The vulnerability affects the iked daemon and can be exploited by unauthenticated attackers when IPsec is enabled.

Get the Snipd Podcast app to discover more snips from this episode

Get the app