SANS Internet Storm Center Discusses Critical Cybersecurity Topics

In the August 28, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Baltimore, Maryland, addresses several crucial cybersecurity topics.

The first topic discussed is an interesting technique for launching shellcode. Typically, an attacker who has gained access to a system allocates memory or marks it as executable, then copies their code into this memory and executes it. This method is common and often detected by EDR (Endpoint Detection and Response) tools. However, a variant of this technique has been observed where the attacker uses the Windows API call "CallWindowProc". This call is designed to execute various internal Windows functions, but it can also accept any memory pointer to execute code at that location. This method allows attackers to bypass certain EDR detections.

Another important topic is a supply chain compromise involving the NX build tool. This tool, used by millions of developers to optimize software testing and building, was compromised. Developers downloading the compromised version ran a malicious JavaScript file that used Gemini AI or Clawed to search for secrets on the developer's system, including deployment keys and cryptocurrency-related information. These secrets were then exfiltrated to GitHub via new repositories created in the victims' accounts. Although NX and GitHub responded quickly to rectify the situation, this incident highlights the vulnerability of popular development tools.

Finally, Johannes Ullrich discusses an incident of compromise of various telecommunications companies and other firms by Chinese state actors, known as "Vault Typhoon". A detailed report, resulting from the collaboration of several cybersecurity and law enforcement agencies, reveals that attackers often used expensive security devices like Palo Alto, Cisco, and Ivanti to gain initial access. The report also highlights the importance of network monitoring, particularly the use of GRE and IPsec tunnels, which should trigger alerts in most networks.

These discussions underscore the importance of constant vigilance and the use of advanced detection and response techniques to protect systems against cyber threats. Developers and network administrators must be aware of new attack techniques and compromise vectors to better secure their environments.

For more details, watch the full video at the following address: https://www.youtube.com/watch?v=XjyIdjQangs