SANS Internet Storm Center Stormcast: May 13, 2025 Edition
In this May 13, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses the latest security updates and currently exploited vulnerabilities. He begins by talking about the recently published patches by Apple, which fix 65 different vulnerabilities. Among these, one particularly notable vulnerability involves an audio stream and is already being actively exploited. Although Apple released a patch for this vulnerability in April, it only applied to the most recent versions of iOS and macOS. This update extends the fix to older versions, going back to macOS Ventura. Ullrich also mentions several other significant vulnerabilities, including ones in WebKit, which could allow code execution if a user visits a malicious website. Another interesting vulnerability concerns FaceTime, where the mute button did not always work as intended. The podcast also addresses the detection by SANS honeypots of a new default username and password combination used by devices from Uni Technology. This combination is "uni" and "uni.technology". Although the company recommends changing this default password, it is still being used, posing a security risk. The detected malware also exploits an old Netgear vulnerability from 2013, which recently received a CVE number in 2024. This vulnerability has been used to compromise outdated and unpatched routers, as revealed by a recent FBI operation. Ullrich then talks about a new vulnerability in Outpost Messenger, a local messaging application often used by administrators. This "directory traversal" vulnerability allows an attacker to access files on the user's system, potentially containing sensitive information. Microsoft has attributed this attack to a group called Marble Dust, which targets victims in the Middle East and Europe. It is crucial to update the application as soon as possible to protect against this active exploitation. Finally, Ullrich revisits a previously discussed vulnerability concerning Conwalt. Although Conwalt released a patch, a security researcher initially stated that the patch was not complete. Conwalt has since clarified that the patch is effective, but users must register their version to receive security updates. Ullrich concludes by mentioning an upcoming workshop on honeypots at the SANSFire event, where participants can learn to install and manage honeypots in their network. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=bZUkRYwDS_w