SANS Internet Storm Center Stormcast: July 21, 2025 Edition Highlights Critical Cybersecurity Issues

In this July 21, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics.

The first major point is a new vulnerability actively being exploited in SharePoint. Microsoft has issued a special bulletin to alert about this flaw but has not yet provided a patch. Microsoft's advice is to deploy anti-malware software on the SharePoint server or, if that is not possible, to block access to the server. Attackers exploiting this vulnerability are deploying webshells, which are tools that allow remote command execution. Although Microsoft's anti-malware tools can detect these webshells, it is likely that new versions will emerge to bypass these detections. Any SharePoint server exposed to the Internet should be considered compromised due to the widespread exploitation of this vulnerability.

The vulnerability targets the toolpane.aspx script and uses specific referrer headers to bypass authentication and allow code execution. This can also enable attackers to obtain the keys used to encrypt the view state, leading to an insecure deserialization attack. Microsoft specifies that its SharePoint 365 service is not affected. The first attempts to exploit this vulnerability were observed on July 16, with an attempt coming from a Microsoft IP address, which could be a user of their cloud service.

Another topic discussed is a phishing campaign using an email purporting to come from a voicemail system. Instead of providing a transcription of the voicemail, the email includes an audio file in WAV format. The message claims that the recipient's VH backup license has expired and asks them to call back to resolve the issue. This campaign appears to be a tech support scam.

Finally, the company Expel has identified an attack against passkeys or FIDO2, used as a two-factor authentication solution. Attackers are exploiting the feature that allows the use of a secondary device to complete authentication via a QR code. The attacker requests login information on a fraudulent site, then uses this information to generate a QR code that they present to the victim to complete the authentication. To protect against this, it is recommended to disable the use of QR codes for authentication or to monitor suspicious login attempts in the logs.

These insights are crucial for cybersecurity professionals, as they highlight active vulnerabilities and emerging attack techniques. Companies must remain vigilant and implement appropriate security measures to protect their systems against these threats.

https://www.youtube.com/watch?v=0lubSEQtop4 TAGS: Cybersecurity,Vulnerabilities,Phishing,Authentication