SANS Internet Storm Center Podcast Discusses Cybersecurity Threats and Vulnerabilities

In the September 22, 2025 edition of the SANS Internet Storm Center's Stormcast podcast, Johannes Ullrich, recording from Las Vegas, Nevada, addresses several critical cybersecurity topics. He begins by sharing an intriguing observation about unusual requests detected by their honeypots. These requests include a particular HTTP header, the "X forwarded app header," which is often used by proxies to indicate the original IP address of the client. Johannes suspects that these requests could be reconnaissance scans or attempts to bypass access controls. The values provided with this header appear random and include license identifiers, suggesting possible involvement of mobile devices and QR codes. Johannes invites listeners to share their thoughts on the nature of these requests. Next, Johannes discusses a recently patched critical vulnerability in Fortra's GoAnywhere MFT product. This vulnerability, rated with a CVSS score of 10.0, allows unauthenticated remote code execution via deserialization. He emphasizes the importance of never exposing the administration interface of this product to the public internet to reduce the attack surface. He also reminds listeners that similar vulnerabilities in the past have been exploited for ransomware attacks, highlighting the urgency to update the software. The podcast also covers a new offensive technique introduced by the Cero Salarium blog. This technique, called "EDR Freeze," does not attempt to terminate EDR (Endpoint Detection and Response) solutions but renders them inoperative by "freezing" them. Unlike other methods that require elevated privileges, this technique operates in user space by exploiting the "MiniDumpWriteDump" function of Windows Error Reporting. This function is normally used to create memory snapshots for debugging, but by manipulating it, it is possible to indefinitely suspend an EDR process. The blog details how to bypass protections like "Protected Process Light" using tools like "WerFaultSecure." Johannes suggests that from a defensive standpoint, it would be wise to monitor the use of these tools and the arguments passed to detect suspicious behavior. In conclusion, Johannes invites listeners to meet him at the Network Security conference in Las Vegas, where he is teaching the SEC 522 course and plans to give a presentation. He thanks the listeners for their support and encourages them to subscribe to the podcast to stay informed about the latest in cybersecurity.