SANS Internet Storm Center Stormcast: May 30, 2025 Edition on Cybersecurity
In this May 30, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial topics in cybersecurity. The video begins with an introduction to alternative data streams, often used to annotate files but can also be exploited for malicious purposes. Ullrich explains that these streams are not always malicious and can be used legitimately, for example, to mark a file as downloaded from the Internet. However, they can also be used offensively, and it is important to understand how to defend against them. Another topic covered is the security breach at ConnectWise, where their ScreenConnect tool was compromised. Although ConnectWise claims that a small number of clients were affected, this current trend shows that remote access tools are often targeted to gain access to victims' systems. Ullrich emphasizes the importance of monitoring these tools and taking measures to secure MSP (Managed Service Providers) environments. Google's Threat Intelligence Group has also published a report on the A41 group, known for its links to China. This group is now using Google Calendar as a command and control channel, creating zero-minute events to exfiltrate data. This method is difficult to detect as it blends with normal traffic to Google. Ullrich recommends monitoring unusual calendar events or monitoring data volume to detect these activities. The video then introduces Orin Niskin, an expert in industrial control systems (ICS) cybersecurity. Niskin shares his experience and research on using deception to catch attackers before they reach OT (Operational Technology) networks. He explains that attacks often start in the IT (Information Technology) network and that attackers look for OT resources from there. By placing fake files, users, and systems in the IT network, attackers can be detected before they reach the OT network, making the response faster and less disruptive. Niskin also discusses the challenges of implementing these deception techniques, including managing false positives and integrating IT and OT security teams. He stresses the importance of sharing information with the community to strengthen collective defense. In conclusion, this video provides a comprehensive overview of current threats and defense techniques in cybersecurity, with a particular focus on industrial control systems. It highlights the importance of early detection and collaboration between IT and OT teams for an effective incident response. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=471l7ze-8cE