Sans Internet Storm Center's Stormcast Highlights Critical Cybersecurity Issues
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In the April 21, 2025 edition of the Sans Internet Storm Center's Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics. The first point discussed concerns administrators using Microsoft Entra for authentication. Microsoft recently introduced a new feature called "mace," aimed at flagging accounts whose credentials have been compromised in the past. Although the idea is good, many accounts have been affected, with some reports indicating that about a third of the accounts have been flagged.
This has resulted in a wave of alerts, posing a challenge for administrators who need to manage these alerts while maintaining operational continuity. Ullrich advises asking users to update their passwords but acknowledges that disabling a third of the accounts is not viable. He suggests finding a quick workaround to keep accounts active while resolving the issue. Another topic addressed is a new social engineering technique used by hackers to access users' systems via Zoom. Attackers join a Zoom call under a pretext, then change their name to "Zoom." When they request access to the system, it appears as a legitimate request from the application itself, increasing the likelihood that the victim will approve the request.
Ullrich recommends disabling this feature globally within the organization or educating users about these risks. Sonic Wall has also updated an old advisory from September 2021 regarding an arbitrary code execution vulnerability that is now being exploited. This vulnerability requires valid credentials to be exploited, explaining its relatively low CVSS score. However, attackers can use brute-force techniques to obtain credentials and then exploit this vulnerability to execute arbitrary commands and gain privilege escalation.
Ullrich emphasizes the importance of monitoring suspicious devices and taking appropriate actions if a compromise is detected. Finally, Ullrich discusses Bubble IO, a no-code platform that allows for the quick generation of applications using AI. Bubble IO exposed Elastic Search directly to users, leading to security issues. Developers used the application name and a non-random initialization vector for encryption, making it easy to derive the encryption key and decrypt the data. Despite being notified by researchers in 2024, Bubble IO has yet to fix this flaw, leaving applications vulnerable. In conclusion, this edition of the Stormcast highlights several current challenges in cybersecurity, emphasizing the importance of administrators' vigilance and responsiveness to new threats.