August 6, 2025 Sans Internet Storm Center Stormcast: Key Cybersecurity Topics

In this August 6, 2025 edition of the Sans Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics. One of the main points concerns SharePoint vulnerabilities, particularly those related to the "view state." The "view state" is a mechanism used by .NET applications to maintain the state of forms. It is often included as a blob in web pages. To protect the integrity of this data, machine keys are used to digitally sign or protect the data with a MAC (Message Authentication Code). However, if these keys are compromised, an attacker can create malicious "view states" that, when deserialized on the server, can lead to arbitrary code execution.

Ullrich explains that machine keys can be stored in the web.config file or in the registry. In the case of multiple servers sharing a load, these keys must be stored in the web.config file to ensure compatibility between servers. If an attacker manages to read this file, they can achieve remote code execution on the server. Ullrich also mentions tools like YSO serial.net, which allow the creation of malicious objects to embed in the "view state" for launching attacks. He demonstrates how this can lead to remote code execution, such as opening a remote shell.

Another topic discussed is the behavior of certain AI companies, notably Perplexity, which modify their user agents to bypass protections implemented by websites. Cloudflare has documented this behavior, showing that Perplexity initially uses a public user agent but modifies it if blocked by protections like robots.txt or web application firewalls. This aggressive behavior can cause damage, such as denial-of-service attacks. Ullrich also mentions similar incidents involving OpenAI, whose systems have been observed targeting honeypots with attack URLs.

Finally, Ullrich talks about compromises of SonicWall firewalls, potentially due to an unknown vulnerability. Companies like Arctic Wolf and Google Mandiant Huntress have observed similar attacks, and SonicWall has issued a statement recommending mitigation measures, such as disabling SLVPN services or restricting access to trusted IP addresses. However, even multi-factor authentication has not prevented some compromises, highlighting the complexity of securing these devices.

In conclusion, this video provides a detailed overview of current vulnerabilities and security practices, with practical implications for cybersecurity professionals.