Crucial Cybersecurity Topics Discussed in Sans Internet Storm Center Stormcast

In this May 9, 2025 edition of the Sans Internet Storm Center Stormcast, Johannes Ullrich, recording from San Diego, California, addresses several crucial cybersecurity topics. The first point discussed concerns an SSH tip shared by Xavier. The challenge was to access a system via SSH without outgoing connectivity, blocked by a firewall. The proposed solution involved using an SSH tunnel to connect to an HTTP proxy, thereby allowing access to the Internet. This method enables port redirection and creates a tunnel for additional traffic, providing an effective bypass solution in situations where only SSH is available. Another interesting technical point mentioned by Johannes is the use of a point-to-point connection via SSH to create a full VPN. Although this method is not as reliable as other VPN solutions, it can be very useful when needed, especially in restricted environments such as hotel or conference center networks. Johannes then addresses a vulnerability in Samsung Magic Info 9, software used to manage content on Samsung advertising screens. Although this vulnerability was patched last August, Huntress Lab revealed that the update was not effective or that a second similar vulnerability exists. Fully updated versions of Magic Info 9 remain exploitable, posing a risk to users. It is therefore crucial to ensure that this software is not accessible from the Internet to avoid exploitation by botnets like Mirai. Another important topic concerns Endpoint Detection and Response (EDR) systems. Johannes mentions a new exploit observed by AON, where attackers succeeded in corrupting or disabling the Sentinel One EDR system. The exploit targeted Sentinel One's update process, which was not properly protected. By disabling and corrupting this process, attackers were able to disable endpoint protection on a specific host. Sentinel One has published recommendations to protect against this attack, and it is essential to follow them to secure systems. Finally, Johannes reports an issue with an incomplete patch for a vulnerability in Comwalt software. Although the vulnerability was patched two weeks ago, Will Dorman discovered that the exploit still works on fully patched versions. It is therefore crucial to check backup systems and ensure they are isolated to avoid any exploitation. This information is essential for cybersecurity professionals, as it highlights the ongoing challenges they face and the possible solutions to overcome them. By staying informed and applying best practices, it is possible to strengthen system security and protect sensitive data against cyber threats.