SANS Internet Storm Center Stormcast June 5, 2025: Key Cybersecurity Topics

In this June 5, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial cybersecurity topics. The first point addressed concerns an ingenious phishing trick discovered by Yan. This technique aims to hide malicious links from Outlook users. At first glance, the email appears to be a classic phishing attempt, mimicking a bank. However, when Yan hovered over the link in Outlook, he discovered that the link was actually benign. The goal of this maneuver is to not trigger the phishing attack for Outlook users, often corporate users, who benefit from more robust security measures. Home users, who typically use webmail systems, are more likely to fall into the trap. Attackers use specific HTML comments for Outlook to display different content to Outlook users and others. This trick allows non-Outlook users to see the malicious link, while Outlook users see a benign link. Next, Johannes Ullrich talks about an important update from Amazon regarding the default logging mode for AWS via CloudWatch Logs. Currently, the default logging mode is blocking mode, which means the application ensures that all logs are received. If an interruption occurs, the application may stop. Amazon will change this default mode to non-blocking mode, similar to the old UDP logging, where logs are sent without guarantee of receipt. This allows the application to continue functioning even if logs are not received, but it can result in log loss if the logging buffer fills up. This change will be effective from June 25, 2025. Johannes Ullrich also mentions several updates from Cisco, including the removal of a backdoor in Cisco Identity Services Engine on cloud platforms. This vulnerability, classified as a "static credential" vulnerability, should be fixed immediately. The specific impact details depend on the exact configuration, so it is recommended to consult Cisco's advisory for more information. InfoBlocks has also fixed several vulnerabilities in its NetMRI system, with detailed descriptions and proofs of concept available. The most concerning vulnerability is an unauthenticated command injection via the "get sample" request. This classic vulnerability results from poor input validation and incorrect output encoding in the Ruby code, where the Popen command could have been used more securely. In conclusion, this edition of the Stormcast highlights sophisticated phishing techniques, critical updates to cloud services, and significant vulnerabilities in widely used systems. This information is crucial for cybersecurity professionals seeking to protect their environments against emerging threats.