Daily cybersecurity news for practitioners. Vulnerabilities, defenses, threats, network security insight, research and more to make you sound smarter as you get to the office in the morning. New each weekday.
…
continue reading
SANS ISC Handlers Podcasts
1
SANS Stormcast Tuesday, November 25th, 2025: URL Mapping and Authentication; SHA1-Hulud; Hacklore
6:11
6:11
Play later
Play later
Lists
Like
Liked
6:11
Conflicts between URL mapping and URL based access control. Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps. https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518 Sha1-Hulud, The Se…
…
continue reading
1
SANS Stormcast Monday, November 24th, 2025: CSS Padding in Phishing; Oracle Identity Manager Scans Update;
4:59
4:59
Play later
Play later
Lists
Like
Liked
4:59
Use of CSS stuffing as an obfuscation technique? Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510 Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day Early exploit attem…
…
continue reading
1
SANS Stormcast Friday, November 21st, 2025: Oracle Idendity Manager Scans; SonicWall DoS Vuln; Adam Wilson (@sans_edu) reducing prompt injection.
14:09
14:09
Play later
Play later
Lists
Like
Liked
14:09
Oracle Identity Manager Exploit Observation from September (CVE-2025-61757) We observed some exploit attempts in September against an Oracle Identity Manager vulnerability that was patched in October, indicating that exploitation may have occurred prior to the patch being released. https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20…
…
continue reading
1
SANS Stormcast Thursday, November 20th, 2025: Unicode Issues; FortiWeb More Vulns; DLink DIR-878 Vuln; Operation WrtHug and ASUS Routers
6:34
6:34
Play later
Play later
Lists
Like
Liked
6:34
Unicode: It is more than funny domain names. Unicode can cause a number of issues due to odd features like variance selectors and text direction issues. https://isc.sans.edu/diary/Unicode%3A%20It%20is%20more%20than%20funny%20domain%20names./32472 FortiWeb Multiple OS command injection in API and CLI A second silently patched vulnerability in FortiW…
…
continue reading
1
SANS Stormcast Wednesday, November 19th, 2025: Kong Tuke; Cloudflare Outage
4:38
4:38
Play later
Play later
Lists
Like
Liked
4:38
KongTuke Activity This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack. https://isc.sans.edu/diary/KongTuke%20activity/32498 Cloudflare Outage Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service https://x.com/dok2001 G…
…
continue reading
1
SANS Stormcast Tuesday, November 18th, 2025: Binary Expression Decoding. Tea NPM Pollution; IBM AIX NIMSH Vulnerability
4:58
4:58
Play later
Play later
Lists
Like
Liked
4:58
Decoding Binary Numeric Expressions Didier updated his number to hex script to support simple arithmetic operations in the text. https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490 Tea Token NPM Pollution The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead atte…
…
continue reading
1
SANS Stormcast Monday, November 17th, 2025: New(isch) Fortiweb Vulnerability; Finger and ClickFix
7:10
7:10
Play later
Play later
Lists
Like
Liked
7:10
Fortiweb Vulnerability Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly. https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486 https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/ https://fo…
…
continue reading
1
SANS Stormcast Friday, November 14th, 2025: SmartApeSG and ClickFix; Formbook Obfuscation Tricks; Sudo-rs Vulnerabilities; SANS Holiday Hack Challenge
10:09
10:09
Play later
Play later
Lists
Like
Liked
10:09
SmartApeSG campaign uses ClickFix page to push NetSupport RAT A detailed analysis of a recent SamtApeSG campaign taking advantage of ClickFix https://isc.sans.edu/diary/32474 Formbook Delivered Through Multiple Scripts An analysis of a recent version of Formbook showing how it takes advantage of multiple obfuscation tricks https://isc.sans.edu/diar…
…
continue reading
1
SANS Stormcast Thursday, November 13th, 2025: OWASP Top 10 Update; Cisco/Citrix Exploits; Test post quantum readiness
6:33
6:33
Play later
Play later
Lists
Like
Liked
6:33
OWASP Top 10 2025 Release Candidate OWASP published a release candidate for the 2025 version of its Top 10 list https://owasp.org/Top10/2025/0x00_2025-Introduction/ Citrix/Cisco Exploitation Details Amazon detailed how Citrix and Cisco vulnerabilities were used by advanced actors to upload webshells https://aws.amazon.com/blogs/security/amazon-disc…
…
continue reading
1
SANS Stormcast Wednesday, November 12th, 2025: Microsoft Patch Tuesday; Gladinet Triofox Vulnerability; SAP Patches
6:03
6:03
Play later
Play later
Lists
Like
Liked
6:03
Microsoft Patch Tuesday for November 2025 https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/ Gladinet Triofox Vulnerability Triofox uses the host header in lieu of proper access control, allowing an attacker to access the page managing administrators by simply setting the host header to localhost. https://cloud.google.com/b…
…
continue reading
1
SANS Stormcast Tuesday, November 11th, 2025: 3CX Related Scans; Watchguard Default Password;
7:25
7:25
Play later
Play later
Lists
Like
Liked
7:25
It isn t always defaults: Scans for 3CX Usernames Our honeypots detected scans for usernames that may be related to 3CX business phone systems https://isc.sans.edu/diary/It%20isn%27t%20always%20defaults%3A%20Scans%20for%203CX%20usernames/32464 Watchguard Default Password Controversy A CVE number was assigned to a default password commonly used in W…
…
continue reading
1
SANS Stormcast Monday, November 10th, 2025: Code Repo Requests; Time Delayed ICS Attacks; Encrypted LLM Traffic Sidechannel Attacks
7:06
7:06
Play later
Play later
Lists
Like
Liked
7:06
Honeypot Requests for Code Repository Attackers continue to scan websites for source code repositories. Keep your repositories outside your document root and proactively scan your own sites. https://isc.sans.edu/diary/Honeypot%3A%20Requests%20for%20%28Code%29%20Repositories/32460 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads Ne…
…
continue reading
1
SANS Stormcast Friday, November 7th, 2025: PowerShell Log Correlation; RondoBox Disected; Google Chrome and Cisco Patches
5:31
5:31
Play later
Play later
Lists
Like
Liked
5:31
Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary] Windows, with PowerShell, has a great scripting platform to match common Linux/Unix command line utilities. https://isc.sans.edu/diary/Binary%20Breadcrumbs%3A%20Correlating%20Malware%20Samples%20with%20Honeypot%20Logs%20Using%20PowerShell%20%5BGuest%20…
…
continue reading
1
SANS Stormcast Thursday, November 6th, 2025: Domain API Update; Teams Spoofing; VShell Report
5:43
5:43
Play later
Play later
Lists
Like
Liked
5:43
Updates to Domainname API Some updates to our domainname API will make it more flexible and make it easier and faster to get the complete dataset. https://isc.sans.edu/diary/Updates%20to%20Domainname%20API/32452 Microsoft Teams Impersonation and Spoofing Vulnerabilities Checkpoint released details about recently patched spoofing and impersonation v…
…
continue reading
1
SANS Stormcast Wednesday, November 5th, 2025: Apple Patches; Exploits against Trucking and Logistic; Google Android Patches
6:29
6:29
Play later
Play later
Lists
Like
Liked
6:29
Apple Patches Everything, Again Apple released a minor OS upgrade across its lineup, fixing a number of security vulnerabilities. https://isc.sans.edu/diary/Apple%20Patches%20Everything%2C%20Again/32448 Remote Access Tools Used to Compromise Trucking and Logistics Attackers infect trucking and logistics companies with regular remote management tool…
…
continue reading
1
SANS Stormcast Tuesday, November 4th, 2025: XWiki SolrSearch Exploits and Rapper Feud; AMD Zen 5 RDSEED Bug; More Malicious Open VSX Extensions
6:56
6:56
Play later
Play later
Lists
Like
Liked
6:56
XWiki SolrSearch Exploit Attempts CVE-2025-24893 We have detected a number of exploit attempts against XWiki taking advantage of a vulnerability that was added to the KEV list on Friday. https://isc.sans.edu/diary/XWiki%20SolrSearch%20Exploit%20Attempts%20%28CVE-2025-24893%29%20with%20link%20to%20Chicago%20Gangs%20Rappers/32444 AMD Zen 5 Random Num…
…
continue reading
1
SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements
6:26
6:26
Play later
Play later
Lists
Like
Liked
6:26
Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287 We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287 https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20C…
…
continue reading
1
SANS Stormcast Friday, October 31st, 2025: Bug Bounty Headers; Exchange hardening; MOVEIt vulnerability
6:19
6:19
Play later
Play later
Lists
Like
Liked
6:19
X-Request-Purpose: Identifying "research" and bug bounty related scans? Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans https://isc.sans.edu/diary/X-Request-Purpose%3A%20…
…
continue reading
1
SANS Stormcast Thursday, October 30th, 2025: Memory Only Filesystems Forensics; Azure Outage; docker-compose patch
6:07
6:07
Play later
Play later
Lists
Like
Liked
6:07
How to Collect Memory-Only Filesystems on Linux Systems Getting forensically sound copies of memory-only file systems on Linux can be tricky, as tools like dd do not work. https://isc.sans.edu/diary/How%20to%20collect%20memory-only%20filesystems%20on%20Linux%20systems/32432 Microsoft Azure Front Door Outage Today, Microsoft s Azure Front Door servi…
…
continue reading
1
SANS Stormcast Wednesday, October 29th, 2025: Invisible Subject Character Phishing; Tomcat PUT Vuln; BIND9 Spoofing Vuln PoC
8:04
8:04
Play later
Play later
Lists
Like
Liked
8:04
Phishing with Invisible Characters in the Subject Line Phishing emails use invisible UTF-8 encoded characters to break up keywords used to detect phishing (or spam). This is aided by mail clients not rendering some characters that should be rendered. https://isc.sans.edu/diary/A%20phishing%20with%20invisible%20characters%20in%20the%20subject%20line…
…
continue reading
1
SANS Stormcast Tuesday, October 28th, 2025: Bytes over DNS; Unifi Access Vuln; OpenAI Atlas Prompt Injection
6:17
6:17
Play later
Play later
Lists
Like
Liked
6:17
Bytes over DNS Didiear investigated which bytes may be transmitted as part of a hostname in DNS packets, depending on the client resolver and recursive resolver constraints https://isc.sans.edu/diary/Bytes%20over%20DNS/32420 Unifi Access Vulnerability Unifi fixed a critical vulnerability in it s Access product https://community.ui.com/releases/Secu…
…
continue reading
1
SANS Stormcast Monday, October 27th, 2025: Bilingual Phishing; Kaitai Struct WebIDE
6:20
6:20
Play later
Play later
Lists
Like
Liked
6:20
Bilingual Phishing for Cloud Credentials Guy observed identical phishing messages in French and English attempting to phish cloud credentials https://isc.sans.edu/diary/Phishing%20Cloud%20Account%20for%20Information/32416 Kaitai Struct WebIDE The binary file analysis tool Kaitai Struct is now available in a web only version https://isc.sans.edu/dia…
…
continue reading
1
SANS Stormcast Friday, October 24th, 2025: Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit
6:25
6:25
Play later
Play later
Lists
Like
Liked
6:25
Infostealer Targeting Android Devices This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram. https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414 Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-542…
…
continue reading
1
SANS Stormcast Thursday, October 23rd, 2025: Blue Angle Software Exploit; Oracle CPU; Rust tar library vulnerability.
7:28
7:28
Play later
Play later
Lists
Like
Liked
7:28
webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant? Our honeypots detected attacks that appear to exploit CVE-2025-34033 or a similar vulnerability in the Blue Angle Software Suite. https://isc.sans.edu/diary/webctrlcgiBlue+Angel+Software+Suite+Exploit+Attempts+Maybe+CVE202534033+Variant/32410 Oracle Critical Patch…
…
continue reading
1
SANS Stormcast Wednesday, October 22nd, 2025: NTP Pool; Xubuntu Compromise; Squid Vulnerability; Lanscope Vuln;
6:37
6:37
Play later
Play later
Lists
Like
Liked
6:37
What time is it? Accuracy of pool.ntp.org. How accurate and reliable is pool.ntp.org? Turns out it is very good! https://isc.sans.edu/diary/What%20time%20is%20it%3F%20Accuracy%20of%20pool.ntp.org./32390 Xubuntu Compromise The Xubuntu website was compromised last weekend and served malware https://floss.social/@bluesabre/115401767635718361 Squid Pro…
…
continue reading
