SANS Internet Storm Center Stormcast Discusses Critical Cybersecurity Topics

In this June 12, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial cybersecurity topics. The first issue addressed is a new threat involving a batch file (.bat) that initiates the download of a malicious installer. This batch file also loads a normal Word document, deceiving the user into thinking nothing malicious has occurred. The second stage of the attack downloads an encoded image containing malicious code, which is then injected into a running process by the downloaded batch file. An interesting aspect of this attack is that the second stage depends on environment variables set by the first stage. This means that if someone analyzes only the second stage without access to the first, the malicious code will not execute, making analysis more difficult. Ullrich also notes that antivirus tools represented by Virus Total struggle to recognize this threat as malicious, likely due to its more specialized and less widespread nature. Next, Ullrich talks about Patch Tuesday updates. For Windows 11 users, the 24H2 update has been gradually rolled out after resolving some initial issues with certain hardware configurations. One important update this week addresses an exploited vulnerability in the SMB client, described by Microsoft as a privilege escalation vulnerability. However, Synactive published a detailed article explaining that this vulnerability actually allows the execution of arbitrary commands on the system with system privileges. ConnectWise also issued an advisory regarding the rotation of its signing certificate for its Screen Connect software. This follows a recent incident where attackers sent legitimate copies of Screen Connect with their own configurations to trick victims into connecting to malicious servers. ConnectWise plans to release a software update to strengthen Screen Connect's configuration and make malicious configuration attempts more evident. Finally, Ullrich discusses an interesting vulnerability in KDE, specifically in its accompanying terminal. This vulnerability allows command execution if telnet is not installed on the system, as the URL is directly passed to bash. Although the exploitability is somewhat complex due to the URL's visibility on the console, it serves as an important reminder that URLs are not limited to HTTP and HTTPS protocols. The practical implications of this information are vast. Cybersecurity professionals must be vigilant against sophisticated threats using advanced concealment techniques. System administrators must ensure their systems are up-to-date with the latest patches to avoid exploitable vulnerabilities. Finally, it is crucial to understand that threats can come from various protocols, not just HTTP and HTTPS URLs. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=bAMGxXq_uBw