SANS Internet Storm Center Stormcast: August 27, 2025 Edition on Cybersecurity

In this August 27, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich from Baltimore, Maryland, addresses several critical cybersecurity topics. He begins by discussing Internationalized Domain Names (IDN) and Punicode, a system used to encode non-ASCII characters in domain names. Ullrich highlights that these domain names can be used in phishing attacks, particularly when characters from different languages are mixed. He shares a method to detect these suspicious domains using a Python script that identifies the character scripts used in domain names. For example, an Asian character in a domain name primarily in Latin characters may indicate a phishing attempt.

Next, Ullrich talks about the recently published patches by Citrix for Netscaler ADC, which address three distinct vulnerabilities. The most severe, with a CVSS score of 9.2, is a memory overflow vulnerability already exploited in the wild to deploy webshells and other malicious software. This vulnerability affects Netscaler configurations as an AAA gateway or virtual server. The other two vulnerabilities include another memory overflow and an unauthorized access vulnerability to the Netscaler management interface. Ullrich emphasizes the importance of patching these vulnerabilities immediately.

Ullrich also mentions a vulnerability recently added by CISA to its catalog of exploited vulnerabilities, concerning Git. This vulnerability, related to a parsing issue in Git configuration files, can lead to the corruption of submodule paths, allowing the execution of malicious files. Although this vulnerability was patched in July, Ullrich recommends ensuring that all Linux distributions and other systems are up to date.

Finally, Ullrich discusses a container breakout vulnerability in Docker Desktop for Windows. This vulnerability, due to a Server-Side Request Forgery (SSRF) issue, allows access to an unauthenticated internal API, which can lead to code execution on the host. Ullrich points out that SSRF vulnerabilities are often underestimated but can have serious consequences.

The practical implications of this information are clear: system administrators and security professionals must remain vigilant and apply patches as soon as they are available. The scripts and tools shared by Ullrich can be used to improve the detection of suspicious domains and strengthen system security.

For more details, watch the full video at the following address: https://www.youtube.com/watch?v=n62x2luc3wM