SANS Internet Storm Center Stormcast Discusses Critical Cybersecurity Issues
In this September 18, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics.
The first topic discussed is a technique used by malware to bypass breakpoints. During reverse analysis of malware, analysts often introduce breakpoints into the code to better understand what is happening in specific segments. However, this in-memory modification can be detected by the malware. A simple method to bypass this is to reload the code from the disk, thus invalidating any modifications made after the initial loading of the DLL. This technique was observed in a sample of ransomware written in Python, which appears to be an unfinished prototype.
Another important point is a vulnerability in Azure, discovered and disclosed to Microsoft by Derk Yan Mima. This flaw allowed any user with an Azure tenant to authenticate as another tenant, thereby breaking the security between different tenants. The vulnerability was related to "actor tokens," used for communications between services within Microsoft. These tokens are supposed to carry the access rights of the original user, but a flaw in their validation allowed an attacker to impersonate another user. This discovery highlights the complexities and potential risks in public cloud environments.
Next, Johannes talks about several critical vulnerabilities. The first concerns WatchGuard Firebox security appliances, affected by an out-of-bounds write vulnerability in the Ike D daemon, used for IPSec VPNs. If this daemon is running, an unauthenticated attacker could exploit this flaw to compromise the appliance. Patches have been released, and it is recommended to apply them quickly.
Another critical vulnerability concerns Nvidia's Triton Inference Server, used for artificial intelligence applications. A critical update has been released to fix several flaws, including a remote code execution vulnerability via OS command injection and an input validation flaw that could also lead to code execution. It is strongly advised to update this system and not expose it directly to the Internet.
These discussions underscore the importance of vigilance and regular updates in the field of cybersecurity. The techniques for bypassing breakpoints and vulnerabilities in cloud environments and security appliances show how ingenious attackers can be and how crucial it is to stay informed and proactive.
For more details, watch the full video at the following address: https://www.youtube.com/watch?v=x8hgXLGhORE