Critical Cybersecurity Issues Discussed in SANS Internet Storm Center Stormcast
In this July 11, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several crucial cybersecurity topics. One of the main points addressed is the exploitation of open SSH servers by attackers. An intern, Sihoy Neo, observed that attackers are using weak passwords to penetrate SSH servers, but instead of compromising them directly, they are using them to establish SSH tunnels to other systems. A notable target was a Yandex mail server, a major Russian internet service provider. This technique allows attackers to mask the real source of the attack by using compromised SSH servers as proxies. Sometimes, multiple proxies are chained together to make tracing even more difficult. This method has even been used by state actors to obscure their tracks. Another important topic is the critical vulnerability in the web application 40guard. This SQL injection flaw does not require any authentication to be exploited and provides full access to the database. With a CVSS score of 9.6, this vulnerability is extremely critical, and it is strongly recommended to patch it quickly. Although Johannes has not yet seen an exploit for this flaw, it is possible that one already exists. Johannes also mentions vulnerabilities in Ruckus network management equipment, including the Ruckus Virtual Smart Zone and the Ruckus Network Director. These vulnerabilities include hardcoded secrets, well-known SSH keys, and unauthenticated arbitrary file reads, among others. As there are no patches available for these flaws, it is advised to block access to the administration interfaces of these devices. Finally, AMD has issued an advisory regarding a TPM attestation failure issue with recent versions of Windows. This problem can prevent the system from booting correctly and affect software integrity, particularly in video games. Some motherboard manufacturers have not distributed the necessary firmware update to fix this issue, complicating the situation. There is a recovery method, but it requires physical access to the system and can be complex, especially if BitLocker is enabled. These details highlight the importance of vigilance and regular system updates to protect against cyber threats. The obscuration techniques used by attackers show how crucial it is to monitor and secure SSH servers, while vulnerabilities in network equipment and web applications underscore the need to block access to administration interfaces and quickly patch critical flaws. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=WdUjFH1m0qk