SANS Internet Storm Center Stormcast: August 15, 2025 Edition

In this August 15, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich speaks from Jacksonville, Florida, addressing several key topics in cybersecurity.

First, Johannes mentions a guest article written by Joseph Noah, an undergraduate intern, which explores how artificial intelligence (AI) tools help better understand security events. Joseph discusses the analysis of logs and scripts found in honeypots, using examples such as command injection attacks and the "nohup" command in Linux. He emphasizes the importance of verifying the results provided by AI systems to avoid plausible but incorrect hallucinations.

Next, Johannes talks about a new malware distribution vector for proxyware via YouTube video download sites. These sites, like YTMP4, claim to allow the download of YouTube videos as MP4 files, but in reality, they distribute proxyware installation scripts. The proxyware turns the victim's computer into a proxy, allowing attackers to rent access to the computer for various, often illegal, activities. This can have devastating effects on the victim's system and may also lead to the installation of additional malware.

Johannes also discusses two vulnerabilities in Xerox's FreeFlow Core print management system, identified by Horizon 3. These vulnerabilities, an XML external entity flaw and a path traversal flaw, allow remote code execution on the vulnerable system. He warns users of FreeFlow Core to update their systems immediately, as a patch was released on August 8.

The video continues with an interview with Darren Kstensen, a graduate of the SANS.edu MSISSE program, who talks about his research project on zero trust. Darren explains that zero trust is based on the principle of "never trust, always verify" and should be applied across five pillars: identity, devices, networks, applications, and data. He mentions CISA's zero trust maturity model as a useful tool for measuring an organization's zero trust maturity level.

Darren also discusses the importance of phishing-resistant multifactor authentication, noting that many organizations still use insecure methods like SMS or push notifications without context. He explains that phishing attacks can be countered by using more secure methods like biometrics or push notifications with more context.

In testing various zero trust solution providers, Darren found that most were not able to detect the loss of sensitive data via Windows file shares, highlighting the challenges and current limitations of zero trust solutions. He concludes by emphasizing the importance of testing and verifying security solutions to ensure they meet the specific expectations and needs of the organization.

For more details, check out the video link: https://www.youtube.com/watch?v=wEhqcT1xTeo