Cybersecurity Insights from Stormcast: Scanning, DNS Vulnerabilities, and Encryption Flaws

In this May 21, 2025 edition of the Stormcast from Sans and Storm Center, Johannes Ullrich addresses several critical topics in cybersecurity. The first point discussed concerns the RFC 9511 standard, which recommends that researchers conducting internet scans identify their activities as part of research projects. This identification allows the targets of these scans to contact the organization conducting the scans. Several methods are proposed by this standard, such as setting up a web server with a standard file identifying the origin of the scan, or adding information such as a URL in the payload of the sent data. A common method is to add a string of characters like a URL in the user agent during the scan of web applications. Ullrich mentions that the Storm Center publishes a list of IP addresses considered to belong to research organizations conducting scans. Some of these organizations are commercial, but their goal is to scan the internet to identify infected or misconfigured systems. Shodan and Censys are among the largest organizations conducting these types of scans. Currently, 33,000 addresses are in their database, and they are tracking 39 different groups. However, it is difficult to distinguish genuine researchers from attackers posing as such. The behavior of researchers is generally consistent with non-malicious actions, but it is crucial that they clearly identify themselves. Another topic addressed is the issue of dangling CNAME records in DNS. CNAME records are aliases that allow requests to be redirected from one hostname to another. Often used to point to cloud resources, these records can pose security problems if not properly managed. If a CNAME record is not deleted after use, an attacker can take control of the associated cloud resource, thus gaining an entry point into the victim's domain. Infoblocks emphasizes that this attack is not trivial, as it requires access to a large amount of DNS data. Finally, Ullrich discusses a vulnerability in the OpenPGP library, used for end-to-end encryption in browser-based applications. This library does not correctly verify message signatures, which can allow their forgery and compromise the integrity of encrypted messages. It is therefore crucial to update this library to avoid these risks. In conclusion, this video provides valuable insights into research scanning practices, DNS vulnerabilities, and flaws in encryption libraries. This information is essential for cybersecurity professionals seeking to protect their systems against current threats.