SANS Internet Storm Center Stormcast: July 14, 2025 Edition on Cybersecurity

In this July 14, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ori discusses several crucial topics in cybersecurity. The first point addressed is the development of a new data feed for suspicious domains. This data feed, which previously existed but was abandoned due to changes and licensing restrictions, is now being reintroduced with a different approach. Instead of aggregating public data feeds, the team is now using data from newly registered domains to identify suspicious patterns.

Ori explains that this new method involves looking for unusual patterns in domain names, such as the imitation of well-known brands, the use of international characters, or high entropy, meaning very random domain names. Although this approach is still experimental, it already seems capable of detecting phishing domains. However, identifying malware domains remains a challenge, as some legitimate domains also exhibit similar characteristics. Ori invites users to test this new data feed and provide feedback to improve it.

Another important topic discussed is a critical update for Wing FTP, a FTP server with a web component. A vulnerability in this software is being actively exploited in the wild. This vulnerability allows remote code execution by adding Lua code to the end of the username, separated by a null byte. This allows bypassing authentication and executing malicious code. Ori emphasizes the importance for web developers to understand this vulnerability to avoid making similar mistakes.

Ori also mentions a vulnerability in 40web, a SQL injection flaw that allows remote code execution by writing files to the system. This vulnerability is also being actively exploited, highlighting the importance of web application security.

Finally, Nvidia has issued an advisory stating that some of its GPUs are vulnerable to the Rowhammer attack, which affects DDR memory. This attack allows modifying memory bits by repeatedly reading and writing to certain areas, thereby affecting parts of the memory that are normally inaccessible. This vulnerability, initially discovered by Google, is intrinsic to DDR memory and thus also affects modern graphics cards.

This information is crucial for cybersecurity professionals and developers, as it highlights active vulnerabilities and methods to detect and prevent them. By understanding these threats and applying the necessary updates, organizations can better protect themselves against cyberattacks.