New Video from @internetstormcenterstormca2350 Discusses Critical Cybersecurity Topics

In this July 24, 2025 edition of the Sans Internet Stormcenter Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics.

The first point discussed concerns the exploits of the SharePoint Shell tool. Johannes has spent time analyzing these exploits, particularly those targeting the "refer" functionality. He explains that these exploits primarily use Base64 decoding and start with a table of compressed data. One of the final pages downloaded by these exploits steals the system's machine key. Johannes emphasizes the importance of not just patching systems, as the machine keys may already be compromised. He insists on the need to rotate them to avoid further compromise.

Another topic covered is the compromise of a popular npm package. This package, with several million downloads, was compromised due to the compromise of the maintainer's credentials. Johannes explains that phishing emails targeting npmjs.com, which lacks adequate DKIM, DMARC, and SPF protections, facilitated this compromise. He warns against installing too many packages and emphasizes the importance of checking their maintenance.

Johannes also mentions the new rapid machine recovery feature in Windows 11 24H2. This feature aims to automatically detect restart loops and apply fixes via a cloud service. Inspired by incidents like CrowdStrike, this feature promises to simplify life for individual users and IT administrators in case of update issues or third-party software problems.

In conclusion, Johannes invites listeners to share their thoughts on the video format and announces his intention to produce more video content in the future. He thanks the listeners for their attention and loyalty.

For more details, watch the full video at the following address: https://www.youtube.com/watch?v=rh-iT724nGQ