SANS Internet Storm Center's Stormcast: Key Cybersecurity Topics

In the May 28, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich discusses several critical cybersecurity topics. The first point addressed is the security of SSH servers, particularly the authorized_keys file. Ullrich emphasizes the importance of using keys for authentication rather than passwords. However, he warns against a common practice by malicious bots that, after compromising a Unix system, add their own key to the authorized_keys file, creating a backdoor. To secure this file, Ullrich recommends not placing it in the user's home directory. Instead, he suggests using a simple configuration with OpenSSH that allows storing all keys for all users in a special directory. Each file in this directory is named after the user or the numerical user ID. This method centralizes key management and makes the files readable only by the users, without requiring write permissions. This prevents attackers from modifying these files at will, making it easier to monitor unauthorized changes. Ullrich also addresses vulnerabilities in IoT devices, citing an example from a blog by OneKey, a company specializing in vulnerability detection. The Meteor Bridge software, used to connect various weather stations, has a classic vulnerability: a query string passed in a GET request is then passed to an eval command without further inspection. Ullrich reminds us that the use of the eval command should be avoided or, if necessary, used with extreme caution, carefully validating all user inputs. He also advises against using bash for web applications due to its limitations in input filtering and security. The podcast also mentions two security advisories published by ManageEngine regarding SQL injection vulnerabilities in their products. Although these vulnerabilities are privilege escalations, Ullrich covers them due to their similarity to past vulnerabilities that have been exploited in various attacks. He recommends checking and fixing these installations to avoid future exploitation. Finally, Ullrich discusses the risks associated with exposing Docker APIs. Kaspersky recently discovered an attack exploiting these APIs to install cryptocurrency miners. The attackers not only launched new containers to mine cryptocurrencies but also compromised existing containers to add their miners. Ullrich points out that this malicious activity can be detected by an increase in CPU time but remains a commonly used technique by attackers. In conclusion, this edition of the Stormcast provides valuable insights into securing SSH servers, IoT device vulnerabilities, and the risks associated with exposed Docker APIs. This information is crucial for cybersecurity professionals seeking to protect their systems against modern attacks.