New Video from @internetstormcenterstormca2350 Highlights Phishing-Resistant Authentication and Emerging Cyber Threats

In the September 17, 2025 edition of the Sans Internet Storm Centers Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses a crucial yet often overlooked topic in cybersecurity: phishing-resistant authentication. Unlike the usual technical diaries, this topic is technically lighter but remains critically important.

Ullrich begins by emphasizing that current phishing advice often focuses on multi-factor authentication (MFA), which is a good practice but does not always protect against phishing. The idea behind phishing-resistant authentication is to remove the user's responsibility for providing the correct credentials to the correct website. When the user decides which credentials to provide, they can be tricked into providing these credentials to malicious sites. Tools like Evilginx can then exploit these credentials to obtain a session identifier and authenticate the attacker.

To avoid this, Ullrich suggests using password managers, which are generally effective in providing the correct credentials to the correct websites. However, the ultimate solution lies in using certificates or passkeys, such as FIDO2 authentication, where technical means prevent the sending of incorrect credentials to the wrong site. These methods are safer because the user does not need to know the credentials, significantly reducing phishing risks.

Ullrich also mentions that the NIST has recently updated its standards to emphasize the importance of phishing-resistant authentication. He illustrates the difficulty of recognizing phishing by examining recently registered domains for npmjs, such as npmjs.help and npmjs.com, which can easily deceive users.

The video then discusses recent attacks on npm, where the Singularity NX attackers are back with a new wave of compromises. Unlike previous attacks, which primarily targeted cryptocurrency secrets, this new wave uses ver-type payloads, compromising vulnerable repositories and exfiltrating secrets. The attackers create GitHub repositories to exfiltrate data and use GitHub actions to access other secrets. They also make the repositories public, complicating the traceability of exfiltrated data.

Ullrich notes that this new wave might have started with phishing, although this is not confirmed. The malware is different, which could indicate a new wave with a different initial entry vector. Some CrowdStrike repositories were also affected, although this did not impact their main product, the Falcon sensor.

Finally, Ullrich discusses a recent vulnerability in OpenAI, where the new agentic capabilities can be abused. The model interconnection protocols can be exploited to automate workflows, but they do not clearly distinguish between user data and code. This can allow attackers to send calendar invitations or emails containing malicious prompts, prompting OpenAI to act on their behalf.

In conclusion, this video highlights the importance of phishing-resistant authentication and emerging threats in cybersecurity. The insights shared can be applied to strengthen security practices and better protect against phishing attacks and other threats.