SANS Internet Storm Center Stormcast: April 25, 2025 Edition on Cybersecurity
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
In the April 25, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial topics related to cybersecurity. The first point discussed concerns attempts to scan some of their honeypots to use them as SMS gateways. Attackers seem to be targeting SMS devices from Telonica, a company that produces a variety of SMS gateways, ranging from IoT-centric devices to enterprise gateways. These devices allow SMS to be sent via an IP connection and a relatively simple API.
However, as is often the case, default usernames and passwords are used, making these devices vulnerable. Ullrich mentions that attackers are trying to exploit these default passwords, including a mysterious password "P8XR" whose origin remains unknown. To check if a gateway can send SMS, the attackers send a test message to phone numbers in Saudi Arabia and Belgium. Ullrich emphasizes the importance of changing default passwords and avoiding purchasing devices with simple passwords. Another topic addressed is a new remote code execution vulnerability in the Comvald backup solution.
This vulnerability, which requires no authentication, allows attackers to deploy a package containing a webshell, enabling them to execute arbitrary code. Ullrich stresses the need to patch this vulnerability immediately, although no attacks have yet been detected in their honeypots. Ullrich also discusses the speed at which vulnerabilities are exploited. By analyzing data from the first quarter of 2025, he notes that more than a quarter of known vulnerabilities were exploited in less than a day after an exploit was published.
Network edge devices and operating systems are particularly targeted, as well as content management systems, although the latter are often overlooked due to their high number, especially with WordPress plugins. Finally, Ullrich mentions a persistent issue with the "inetpub" folder on Windows systems. An exploit published by Kevin Bulmont allows any user to create a junction for "inetpub" to a system binary, thus preventing future updates. Ullrich advises monitoring for unusual junctions on systems and waiting for Microsoft's patches in the May update. In conclusion, this video provides valuable insights into current cybersecurity threats and the measures to take to protect against them. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=AVL0F8GGhHY