August 8, 2025 Sans Internet Storm Center Stormcast: Key Cybersecurity Topics

In the August 8, 2025 edition of the Sans Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics. One of the main points concerns an observation made by Duncan Wooley, an intern at sans.edu, who noticed a sudden increase in scans originating from Panama. Upon further analysis, it was revealed that these scans were associated with ASN 43350, belonging to a company called Enforce Entertainment, known for renting out its IP addresses, which can lead to suspicious or malicious uses. Ullrich discusses the implications of blocking this specific ASN, highlighting that while it may reduce network noise, it does not necessarily protect against actual attacks, as scans come from many other IP addresses. He warns against blindly blocking major scanners, as this can also block legitimate traffic.

Another topic addressed is the vulnerability of HTTP 1.1 and "request smuggling" attacks. A report from Portswigger, the creators of the Burp proxy, highlights issues with HTTP 1.1, particularly the confusion between middle boxes and servers regarding request lengths. They strongly recommend switching to HTTP/2 to avoid these problems. Ullrich explains that HTTP/2 uses a more robust binary encoding, making parsers more reliable. He also mentions that modern architectures using "proxy bucket brigades" can exacerbate these issues. Portswigger has also released new tools to detect these vulnerabilities, which is particularly relevant for cloud-based infrastructures.

Microsoft has also issued a bulletin regarding a vulnerability in Microsoft Exchange Server in hybrid deployment mode. This vulnerability allows an attacker with administrative access to the Exchange server to pivot to the cloud environment and fully compromise the domain. Although this vulnerability was patched in April, Microsoft has clarified that this update is crucial to prevent exploitation.

SonicWall has provided updates on brute force attempts against their VPNs. They assert that no new vulnerability is being exploited, but rather a reuse of potentially compromised credentials. However, Arctic Wolf has reported that secure credentials have been used in some cases, leaving the question open. Ullrich recommends following SonicWall's advice and remaining vigilant.

Finally, Ullrich welcomes W from Rapazo, a recently graduated student in information security engineering, to discuss his research project on vulnerable open-source software and the concept of "shifting left." Rapazo emphasizes the importance of security from the early stages of software development to avoid high costs of fixing vulnerabilities later. He mentions tools like GitHub Advanced Security and Azure DevOps that can help detect vulnerabilities in open-source components. He stresses the importance of awareness and prioritizing security within development teams.

In conclusion, this edition of the Stormcast highlights several critical aspects of cybersecurity, from malicious scans to HTTP vulnerabilities, and the importance of security in software development. This information is crucial for security professionals and developers seeking to enhance the robustness of their systems.