SANS Internet Storm Center Stormcast Discusses Critical Cybersecurity Issues

In this June 27, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial topics in cybersecurity. The first issue addressed concerns a major supply chain security vulnerability related to the use of Visual Studio Code clones. Visual Studio Code, a Microsoft product, has its own extension store that has faced issues in the past. Clones like Cursor, often used in artificial intelligence projects, cannot use Microsoft's official extension store. To address this, OpenVSX was created as an extension store for these clones. The vulnerability lies in how extensions are updated on OpenVSX. There are two methods to update an extension: one involves downloading the extension, and the other, more convenient method allows for automatic updates. This latter method uses a GitHub action that runs code provided by the extension developer. This code has access to a secret token used by the GitHub action, potentially allowing an attacker to modify any extension published on OpenVSX. This vulnerability endangers the entire extension ecosystem, as an attacker could add malicious code to trusted extensions. Fortunately, this vulnerability has been fixed thanks to the collaboration between Koi Security and OpenVSX. Another important topic discussed is the discovery of three Bluetooth vulnerabilities in chipsets manufactured by AOA, used in headphones from major brands like Bose and Sony. These vulnerabilities allow an attacker to compromise the headphones and use them as listening devices. The issue lies in a custom protocol that allows direct manipulation of the headphone's memory, with flawed or absent authentication. If the headphones are already paired with another device, the attack would be noticeable as the connection would be interrupted. However, if the headphones are inactive, the attack could go unnoticed. AOA has released patches for its software development kit, but these patches still need to be deployed in the firmware of affected devices. Finally, Cisco has released updates for its Identity Services Engine, fixing two critical vulnerabilities that allow remote code execution without authentication. These vulnerabilities have a CVSS score of 10, meaning they are extremely severe and need to be fixed immediately. Johannes Ullrich concludes by mentioning the upcoming Sansfire event in Washington DC, where workshops and special events will be available, including a workshop on honeypots. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=h8K76nEbvlI