New Stormcast Podcast Discusses Cybersecurity Challenges and Solutions

In this May 12, 2025 edition of the Stormcast podcast by Sans and Storm Soners, Johannes Ullrich speaks from Jacksonville, Florida, addressing several critical cybersecurity topics. Firstly, Johannes mentions the solution published by DD for the previous week's steganography challenge. Unlike traditional methods where pixels are encoded line by line, this challenge used a vertical method, requiring data transposition for decoding. DD developed a tool to facilitate this process, with details available in his journal. Next, Johannes discusses an FBI press release about the use of compromised routers as proxies to build criminal infrastructures. Although not new, the FBI highlights that end-of-life devices are particularly vulnerable. A botnet identified in this attack is the Moon botnet, known since February 2014. These botnets constantly evolve, adding new vulnerabilities to their arsenal. Johannes recommends tracking the end-of-life dates of network devices and regularly checking for firmware updates, an essential practice for both home devices and small businesses. The FBI notes that these compromised devices are turned into proxy servers, resold to other criminal groups to mask their tracks. There are even cases where these proxy servers have been used by more advanced adversaries. Johannes emphasizes the importance of regularly checking for firmware updates and noting end-of-life dates directly on devices to facilitate their replacement. Johannes also addresses two vulnerabilities fixed by ASUS in its Trifer Hub software, which allowed arbitrary code execution. These vulnerabilities were due to poor HTTP request origin verification, allowing an attacker to impersonate a legitimate site using malicious subdomains. Paul from Mr. Brew discovered and reported these vulnerabilities but did not receive recognition or reward for his efforts. Finally, Johannes talks about SEO poisoning attacks used to trick administrators into installing backdoored versions of RV Tools, a VMware management tool. Once infected, this malware establishes an SSH channel with the attacker, allowing remote code execution and data exfiltration. These attacks now target niche products, as search engines have improved their ability to reject these techniques for more common software. In conclusion, Johannes reminds listeners that the following Tuesday will be Microsoft Patch Tuesday and thanks them for their support and loyalty to the podcast.