SANS Internet Storm Center's Stormcast Highlights Crucial Cybersecurity Topics

In the May 23, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich discusses several critical cybersecurity topics. The first point addressed is securing access to home or small business networks via 5G or satellite connections. These types of connections typically do not provide a public IP address, necessitating the establishment of a tunnel to an external jump host. Ullrich emphasizes the importance of securing these tunnels, as a compromise of the jump host could grant direct and potentially unauthenticated access to the network. He suggests scripts to generate alerts in case of a connection to the jump host, highlighting the importance of not bypassing security controls without implementing adequate security measures around the tunnel. Another topic covered is a vulnerability in Windows Server 2025, identified by Akami Yubal Gordon. This vulnerability involves delegated managed service accounts (DMSA), a new feature introduced to simplify service account management. The issue lies in the ability to migrate existing service accounts to DMSA, allowing an attacker to create a new DMSA and assign it the permissions of an existing account. This flaw enables privilege escalation, giving the attacker access to the permissions of existing service accounts. Microsoft considers this vulnerability moderate, but Akami points out that the permission to create service accounts is not always well-controlled. To mitigate this risk, Akami proposes PowerShell scripts to identify potential users and monitor account migrations. Finally, Ullrich discusses a vulnerability in the NodeJS library Samlify, used to implement SAML. This vulnerability, known as a signature wrapping attack, allows an attacker to add additional data to a SAML assertion outside the signed portion, causing the recipient to accept the entire message as valid. This flaw is common in signed XML implementations and underscores the importance of verifying and updating the libraries used. The practical implications of these discussions are significant. For small businesses and home networks, it is crucial to secure connection tunnels to prevent unauthorized access. Windows Server 2025 administrators must be vigilant in managing service accounts and monitoring migrations to prevent privilege escalation. Lastly, developers using libraries like Samlify must ensure they are regularly updated to avoid vulnerabilities. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=pN6vmMAgdHU