Stormcast Episode on Cybersecurity Trends and Threats
In the September 3, 2025 edition of the Stormcast from Sans Net Storm Center, Johannes Ullrich, recording from Jacksonville, Florida, discusses several critical cybersecurity topics.
The first topic covered is a new journal entry by Yan, who previously wrote about sextortion scams. Thanks to a reader, Yan gained access to a large corpus of extortion emails, totaling about 1,900 messages with 205 different Bitcoin addresses. An interesting observation is that the effectiveness of these emails seems to decrease over time, likely because victims are growing tired of paying for the same repetitive threats. However, these campaigns remain relatively short, and payments usually arrive within a day of sending the messages. The amounts demanded range from a few hundred to a few thousand euros or dollars, with a few exceptions demanding much higher sums but receiving no payments. This suggests that the scammers are optimizing their demands to maximize their gains.
Next, Johannes discusses a blog post from cloud security company Reese Security, which examines attacks aimed at stealing configuration files, including Azure AD client secrets. These secrets are often stored in JSON files like appsettings.json, containing sensitive information such as client IDs and secrets. Attackers also look for variations of these files, such as development versions, to access older credentials. Once these files are obtained, attackers can compromise the victims' Active Directory configurations.
Another topic addressed is new research by Chian XL on a Trojan that uses ICMP to establish an outgoing communication channel to a command and control server. This Trojan also uses a DNS command and control channel with a fixed domain prefix and the rest of the domain name encoded in base 64, representing a command for the bot. This bot listens on a raw socket, meaning there is no visible listening port, making detection more difficult. The DNS queries, while valid, have unusual domain names that can trigger alerts in security logs.
Finally, Johannes mentions a critical vulnerability in FreePBX, an open-source telephony system. A preliminary fix had been published, but Sangoma, the company behind FreePBX, encourages everyone to apply the official fix. The vulnerability was due to a fixed secret for OAUTH authentication, which has now been replaced by a dynamically generated secret.
This information is crucial for cybersecurity professionals, as it highlights current attack trends and the measures to take for protection. For example, understanding how attackers exploit configuration files can help better secure these files. Similarly, knowing the communication methods of Trojans can improve detection and prevention capabilities.