SANS Internet Storm Center's Stormcast: Key Cybersecurity Topics Discussed

In this June 30, 2025 edition of the SANS Internet Storm Center's Stormcast, Johannes Ullrich addresses several critical cybersecurity topics. He begins by discussing Scattered Spider, a cybercriminal group known for its effective social engineering techniques. Although Scattered Spider is not new, it continues to make headlines due to its successful attack methods. Ullrich emphasizes the importance of monitoring identity access points to detect takeover attempts and stresses that user training should include reporting attack attempts. He also recommends reviewing password reset and two-factor authentication processes, involving direct supervisors more than anonymous support services. Another important point discussed is a vulnerability in the Redfish protocol, used for remote server management. This vulnerability, discovered in March, allows authentication bypass by simply adding a specific header to a request, enabling the execution of arbitrary commands without authentication. The CISA has added this vulnerability to its list of already exploited vulnerabilities, highlighting the urgency to fix it. Ullrich recommends quickly updating server firmware, despite the challenges this may pose. Ullrich also mentions the expiration of Microsoft's Secure Boot certificates in June 2026. Windows Update updates will provide new certificates, but this requires systems to send diagnostic data to Microsoft. For enterprise-managed systems, Microsoft has published a blog detailing various scenarios and solutions. It is crucial to ensure that systems receive these updates, especially for those still using Windows 10, as updates will only be available until October 2025. Finally, Ullrich talks about Microsoft's resilience initiative, aimed at making Windows more secure. One controversial measure is making it more difficult for security software to operate at the kernel level, a decision influenced by recent incidents like the one involving Cloudflare. This initiative could have significant implications for security software that relies on kernel privileges for operation. In conclusion, Ullrich announces that due to his travels and the July 4th holidays, he will only publish one more podcast this week, on Thursday, July 3.