SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

An intriguing Python infostealer has been discovered, featuring an embedded web server for local phishing sites. The monthly Android update addresses a serious Freetype vulnerability, critical in many devices. CISA warns about unsophisticated cyber actors targeting operational technology, highlighting the necessity of basic security measures. The discussion also dives into exploits related to compressed font files and the significance of regular software updates in defending against such threats.

A new twist in the ongoing threat landscape as the Mirai botnet now exploits a vulnerability in Samsung's MagicINFO CMS. Meanwhile, Kali Linux faces challenges after losing its signing key, requiring users to adapt to a new one. The dangers of default configurations in out-of-the-box Helm charts for Kubernetes are also highlighted, revealing how they can compromise security through exposed ports and lack of authentication. Stay informed to keep your systems secure!

A new steganography challenge has listeners decoding hidden messages, with solutions to come soon. Microsoft is pushing Passkeys as the default login method, aiming for a password-free future. Big changes are on the horizon as Microsoft Authenticator will no longer serve as a password safe, shifting users to Edge's password prefill. Meanwhile, alarm bells ring as backdoors in Magento components are discovered, activating after years of dormancy, raising questions about vendor security.

Discover the secrets of steganography as techniques for extracting hidden data from images are unveiled. Learn about a new trend where malicious Python packages exploit Gmail for command and control, posing serious risks to developers. Delve into the alarming tactics used by a French threat actor, targeting property management firms to divert tenant rent payments. This insightful discussion sheds light on pressing cybersecurity challenges and offers strategies for better protection.

Recent scans targeting SonicWall vulnerabilities are skyrocketing, possibly linked to brute force attacks. An alarming IPv6-based malware tactic has emerged where attackers use spoofed DNS servers to deliver malicious updates. Additionally, a significant flaw in Windows Remote Desktop Protocol may allow logins using outdated credentials, raising pressing security concerns. Technology enthusiasts and security experts alike will find these breaking developments both intriguing and alarming.

More Scans for SMS Gateways and APIs Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people s credentials. https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902 AirBorne: AirPlay Vulnerabilities Researchers at Oligo revealed over 20 weaknesses they found in Apple s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates. https://www.oligo.security/blog/airborne

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data. https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896 Novel Universal Bypass For All Major LLMS Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models. The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy. https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/ CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it. https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf SANS @RSA: https://www.sans.org/mlp/rsac/

Explore the intriguing world of image steganography, where malware hides within images to bypass network security. Discover a serious vulnerability in SAP NetWeaver, allowing unauthorized file uploads and system access. Recent reports reveal exploitation attempts and the confusion caused by MS Defender's false positives, leading to sensitive document uploads. This episode emphasizes the importance of protecting personal data while navigating malware analysis tools.

Attacks against Teltonika Networks SMS Gateways Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords. https://isc.sans.edu/diary/Attacks%20against%20Teltonika%20Networks%20SMS%20Gateways/31888 Commvault Vulnerability CVE-2205-34028 Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/ Exploitation Trends Q1 2025 Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available. https://vulncheck.com/blog/exploitation-trends-q1-2025 inetpub directory issues The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad. https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

Discover the intricacies of maintaining a honeypot and the importance of dynamic configurations to keep your security measures sharp. Learn about a serious breach in the XRPL.js library, which allowed attackers to steal secret keys through malicious updates. The podcast also highlights a critical vulnerability in the Erlang/OTP SSH library affecting Cisco equipment, emphasizing the urgent need for patches and security vigilance in the tech community.