New Video from Internet Storm Center: Cybersecurity Updates and Trends
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In this April 7, 2025 edition of the Stormcast from Sans Internet Storm Center, Johannes Ullrich speaks from Jacksonville, Florida. He begins by mentioning a new report he has added to the Storm Center's website. This report focuses on new usernames and passwords used in attacks, valuable information for understanding current cyber threat trends. Olri explains that this type of report is already available for web honeypots, URLs, and headers, but was missing for login credentials. He emphasizes that the diversity of passwords makes creating this report particularly complex.
Olri shares some interesting observations from his recent analysis. For example, he noticed combinations of first names and last names used as usernames, as well as bugs in certain tools where the first letter of the username is missing. He also mentions an attacker who sent about 14,000 requests using the filename containing the usernames as the username, suggesting a poor understanding of the tool used. Olri points out that attackers often use exploits they do not fully understand, which can lead to failures even if the target is vulnerable.
Another important point addressed by Olri concerns remote code execution attacks in Google Quick Share, presented by Or Y. and Cohen of SafeBreach at the Black Hat Asia conference. Quick Share is Google's equivalent of Apple's AirDrop, allowing quick file exchange between nearby users. However, vulnerabilities allow an attacker to impersonate a trusted user and replace previously received files with malicious ones. Olri recommends always restricting authorized users to send files, whether via AirDrop or Quick Share.
Olri also mentions an "HTTP request smuggling" vulnerability in Apache Traffic Server. These vulnerabilities are complex to exploit but also to protect against. They can be used to steal requests or bypass authentication, and it is crucial to patch them to avoid compromising application security. Finally, Olri reminds viewers that the next "Patch Tuesday" from Microsoft will take place this week. He invites listeners to share their feedback and report any important stories he may have missed. He concludes by mentioning recent stories about malicious packages in PyPI and npm but specifies that he will only cover them once a week. For more details, you can watch the full video at the following address: https://www.youtube.com/watch?v=Gh28EAnabAw