SANS Internet Storm Center Stormcast: June 3, 2025 Edition Discusses Critical Cybersecurity Topics

In this June 3, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial cybersecurity topics. The first point addressed concerns a new form of malware that exploits SSH on Windows. Although SSH has long been a standard component on Linux, Windows began integrating it by default a few years ago. This malware deploys an SSH configuration file that instructs the system to connect to a command and control server and then redirect connections to an internal listening port. However, this configuration file contains syntax errors, which could prevent its optimal functioning. An important point to note is that this malware uses SSH on port 443, typically used for HTTPS traffic, to better blend into regular network traffic. However, this should trigger alerts in network monitoring systems, thus facilitating its detection.