April 4, 2025 Sans Internet Storm Center's Stormcast: Key Cybersecurity Topics

In the April 4, 2025 edition of the Sans Internet Storm Center's Stormcast, Johannes Olri, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics. The first item on the agenda is an analysis conducted by intern Gregory Weber on URLs collected by honeypots. Honeypots, by definition, only receive malicious requests. Gregory compared this data with that of a normal website and performed a frequency analysis to distinguish malicious traffic from normal traffic. Although his model still requires adjustments and more data for validation, this approach is promising and fits into a broader trend towards automating log analysis and intrusion detection through machine learning techniques. Another topic discussed is a critical vulnerability in Ivanti Connect Secure, patched in February. Initially, Ivanti had deemed this vulnerability non-exploitable due to specific constraints. However, actors potentially linked to Chinese states managed to exploit this flaw by reversing the patch, a common technique to identify the exact vulnerability. This exploitation began in March, and Ivanti has since confirmed that the vulnerability has been exploited. This story underscores the importance of never underestimating the creativity and sophistication of attackers. Johannes also mentions a vulnerability in WinRAR, related to the incorrect handling of "marks of the web" when decompressing files containing symbolic links. Although this flaw is not major, it is recommended to update the software due to its popularity. With the US tax filing deadline approaching, Microsoft has issued a warning about tax scams. Johannes advises caution, particularly avoiding fraudulent tax form download sites and using trusted tax filing services. He also reminds viewers of the importance of verifying the websites used for these services, citing a past example where a popular site was compromised. Finally, Johannes discusses a data leak at Oracle, where login credentials of some customers were disclosed. Oracle claims that these data are from an old system and not current, but the group responsible for the leak disputes this claim. This situation highlights the issue of trust in cloud service providers, emphasizing that users often have to rely on information provided by these companies without being able to verify it. In conclusion, this edition of the Stormcast emphasizes the importance of vigilance and regular software updates to protect against cyber threats. It also illustrates the increasing complexity and sophistication of attacks, requiring ever more advanced security measures.