SANS Internet Storm Center Stormcast: September 11, 2025 Edition on Cybersecurity

In this September 11, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, discusses several crucial topics in cybersecurity. The episode begins with a discussion on a botnet that uses DNS for remote control by encoding commands in base 64. Ullrich highlights an interesting anomaly: although base 64 contains characters like the slash and equal sign, which should not appear in DNS hostnames, these characters can sometimes work under certain circumstances. For example, NS lookup can return these characters without issue, demonstrating that protocols like DNS do not always return valid content.

This observation leads to an important lesson in web application security: it is crucial not to blindly trust protocols like DNS. Ullrich reminds us that vulnerabilities such as SQL injection and cross-site scripting can be exploited via DNS if the responses are not properly validated and sanitized. He also mentions historical examples where WHOIS entries contained exploits, emphasizing the importance of verifying that the received content matches the expected structure.

The episode then covers recent security updates. Google Chrome has released an update fixing two security vulnerabilities, including a critical one related to a "use after free" in the service worker, which could allow remote code execution. Ullrich recommends ensuring that Google Chrome is updated and restarted regularly. Ivanti has also released patches for several products, including remote access suites, fixing vulnerabilities such as missing authorization and cross-site request forgery (CSRF) attacks. These vulnerabilities could allow an attacker to hijack HTML5 connections or execute sensitive actions remotely.

Sophos has also released new firmware for its AP6 series access points, fixing a critical authentication bypass vulnerability. Although few details are available about this vulnerability, Ullrich stresses the importance of updating firmware to protect against it.

Finally, Apple has introduced a new security feature called "memory integrity enforcement" in its new devices. This feature combines hardware and software to make buffer overflows and memory allocation issues less exploitable. Although this feature is only available on new devices, Apple has introduced new APIs to facilitate writing secure code on all Apple devices. This initiative aims to counter nation-state attacks, which often target mobile devices.

In conclusion, this episode of the Stormcast highlights the importance of data validation, regular updates, and new security technologies to protect systems against cyber threats.