SANS Internet Storm Center Stormcast: July 18, 2025 Edition on Cybersecurity

In this July 18, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Washington DC, addresses several crucial topics in cybersecurity.

The first topic discussed concerns alternative data streams and their Linux equivalent, extended attributes. Xavier, a cybersecurity expert, explored how these attributes can be used to hide data, similar to alternative data streams in Windows. Extended attributes can serve functions such as marking files downloaded from the web or encoding POSIX access control lists. Xavier developed scripts to encode data in Base64, split it into multiple files, and add them as extended attributes. He also created a script to retrieve this data, effectively hiding it. Another script allows searching for files with extended attributes and listing their contents, useful for checking if these attributes are normal or hiding malware.

Another important point addressed is the critical vulnerability in Cisco's Identity Services Engine, also known as ISE. This flaw allows an unauthenticated user to execute arbitrary code remotely with root privileges, giving it a CVSS score of 10 out of 10. The vulnerability is related to improper input validation in the ISE API. Although few details are available, this flaw is extremely severe and requires immediate attention.

Oracle has also released its quarterly critical patch update, fixing 39 vulnerabilities, nine of which are considered critical and 144 as high. These vulnerabilities affect 111 different products in Oracle's portfolio. Among the patches, several concern open-source libraries like Apache Beans and Apache Tomcat, which have already been updated to fix known flaws. This means Oracle is playing catch-up, and exploits for these vulnerabilities could already be in development or available.

Finally, Broadcom has released updates for its range of VMware products, including ESXi, Workstation, Fusion, and VMware Tools. Several of these vulnerabilities allow virtual machine escape but require administrative privileges on the affected virtual machine. These types of flaws are particularly concerning for malware reverse engineers who run malware in virtual environments, but they can also be used by attackers to escalate privileges and move laterally within an enterprise network.

This information is crucial for cybersecurity professionals, as it highlights potential attack vectors and vulnerabilities that need to be addressed quickly to protect systems and networks. The scripts developed to manipulate extended attributes in Linux show how attackers can hide data, while the patches from Cisco, Oracle, and Broadcom underscore the importance of keeping systems up-to-date to protect against known threats.

To learn more, watch the full video at the following address: https://www.youtube.com/watch?v=G3X0FNHiRgU