Agreements and contracts are a fundamental innovation and govern everything from personal commitments to major financial decisions. They function as trusted artifacts to capture the nature of a commitment and provide clarity and accountability. Software has revolutionized many business functions, including the basic mechanics of digitally signing a…

My Very Personal Guidance and Strategies to Protect Network Edge Devices A quick summary to help you secure edge devices. This may be a bit opinionated, but these are the strategies that I find work and are actionable. https://isc.sans.edu/diary/My%20Very%20Personal%20Guidance%20and%20Strategies%20to%20Protect%20Network%20Edge%20Devices/31660 Postg…

Fake BSOD Delivered by Malicious Python Script Xavier found an odd malicious Python script that displays a blue screen of death to users. The purpose isn't quite clear. It could be a teach support scam tricking users into calling the 800 number displayed, or a simple anti-reversing trick https://isc.sans.edu/diary/Fake%20BSOD%20Delivered%20by%20Mal…

DShield SIEM Docker Updates Interested in learning more about the attacks hitting your honeypot? Guy assembled a neat SIEM to create dashboards summarizing the attacks. https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/31680 PANOS Path Confusion Auth Bypass Palo Alto Networks fixed a path confusion vulnerability introduced by the overly …

An Ontology for Threats: Cybercrime and Digital Forensic Investigation on Smart City Infrastructure Smart cities is a big topic for many local governments. With building these complex systems, attacks will follow. https://isc.sans.edu/diary/An%20ontology%20for%20threats%2C%20cybercrime%20and%20digital%20forensic%20investigation%20on%20Smart%20City%…

Subsea cables are high-capacity fiber-optic lines laid along the ocean floor to enable global communication by transmitting data between continents. Spanning thousands of miles, they carry an estimated 95% of international internet, phone, and data transmissions. Critically, these cables are vulnerable to sabotage by state actors, as they form crit…

Microsoft Patch Tuesday Microsoft released patches for 55 vulnerabilities. Three of them are actagorized as critical, two are already exploited and another two have been publicly disclosed. The LDAP server vulnerability could become a huge deal, but it is not clear if an exploit will appear. https://isc.sans.edu/diary/Microsoft%20February%202025%20…

LangChain is a popular open-source framework to build applications that integrate LLMs with external data sources like APIs, databases, or custom knowledge bases. It’s commonly used for chatbots, question-answering systems, and workflow automation. Its flexibility and extensibility have made it something of a standard for creating sophisticated AI-…

Reminder: 7-Zip MoW The MoW must be added to any files extracted from ZIP or other compound file formats. 7-Zip does not do so by default unless you alter the default configuration. https://isc.sans.edu/diary/Reminder%3A%207-Zip%20%26%20MoW/31668 Apple Fixes 0-Day Apple released updates to iOS and iPadOS fixing a bypass for USB Restricted Mode. The…

SSL 2.0 Turns 30 This Sunday SSL was created in February 1995. However, back in 2005, only a year later, SSL 3.0 was released, and as of 2011, SSL 2.0 was deprecated, and support was removed from many crypto libraries. However, over 400k hosts are still exposed via SSL 2.0. https://isc.sans.edu/diary/SSL%202.0%20turns%2030%20this%20Sunday...%20Perh…

The Unbreakable Multi-Layer Anti-Debugging System Xavier found a nice Python script that included what it calls the "Unbreakable Multi-Layer Anti-Debugging System". Leave it up to Xavier to tear it appart for you. https://isc.sans.edu/diary/The%20Unbreakable%20Multi-Layer%20Anti-Debugging%20System/31658 Take my money: OCR crypto stealers in Google …

BlackBerry is a Canadian company known for its pivotal role in the smartphone market during the 2000s. Today, BlackBerry has adopted a major focus on cybersecurity. John Wall is the Chief Operating Officer and Head of Products, Engineering and Services at QNX, which is a division of BlackBerry. Ismael Valenzuela is the former Vice President of Thre…

Phishing via com- prefix domains Every day, attackers are registering a few hunder domain names starting with com-. These are used in phishing e-mails, like for example "toll fee scams", to create more convincing phishing links. https://isc.sans.edu/diary/Phishing%20via%20%22com-%22%20prefix%20domains/31654 Microsoft Windows 10 Extended Security Up…

Caves of Qud is a roguelike game set in a richly detailed, post-apocalyptic world blending science fiction and fantasy. The game is known for its deep lore, emergent gameplay, and wildly creative character customization. It is a massive indie success, and recently hit a major milestone with the release of version 1.0 after 15 years of development. …

Some Updates to Our Data Feeds We made some updates to the documentation for our data feeds, and added the neat Rosti Feed to our list as well as to our ipinfo page. https://isc.sans.edu/diary/Some%20updates%20to%20our%20data%20feeds/31650 8 Million Request Later We Meade the Solarwindws Supply Chain Attack Look Amateur While the title is a bit of …

Compute optimization in a cloud environment is a common challenge because of the need to balance performance, cost, and resource availability. The growing use of GPUs for workloads, including AI, is also increasing the complexity and importance of optimization given the relatively high cost of GPU cloud computation. Jerzy Grzywinski is a Senior Dir…

Crypto Wallet Scam YouTube spam messages leak private keys to crypto wallets. However, these keys can not be used to withdraw funds. Victims are scammed into depositing "gas fees" which are then collected by the scammer. https://isc.sans.edu/diary/Crypto%20Wallet%20Scam/31646 Mediatek Patches Mediatek patched numerous vulnerabilities in its WLAN pr…

To Simulate or Replicate: Crafting Cyber Ranges Automating the creation of cyber ranges. This will be a multi part series and this part covers creating the DNS configuration in Windows https://isc.sans.edu/diary/To%20Simulate%20or%20Replicate%3A%20Crafting%20Cyber%20Ranges/31642 Scammers Exploiting Deepseek Hype Scammers are using the hype around D…

PCAPs or It Didn't Happen: Exposing an Old Netgear Vulnerability Still Active in 2025 [Guest Diary] https://isc.sans.edu/diary/PCAPs%20or%20It%20Didn%27t%20Happen%3A%20Exposing%20an%20Old%20Netgear%20Vulnerability%20Still%20Active%20in%202025%20%5BGuest%20Diary%5D/31638 RCE Vulnerablity in AI Development Platform Lightning AI Noma Security discover…

Docker container vulnerability analysis involves identifying and mitigating security risks within container images. This is done to ensure that containerized applications can be securely deployed. Vulnerability analysis can often be time intensive, which has motivated the use of AI and ML to accelerate the process. NVIDIA Blueprints are reference w…

From PowerShell to a Python Obfuscation Race! This information stealer not only emulates a PDF document convincingly, but also includes its own Python environment for Windows https://isc.sans.edu/diary/From%20PowerShell%20to%20a%20Python%20Obfuscation%20Race!/31634 Alleged Active Exploit Sale of CVE-2024-55591 on Fortinet Devices An exploit for thi…

Raylib is a lightweight, beginner-friendly, and open-source C library for game development, known for its simplicity and lack of external dependencies. It’s designed to streamline the creation of 2D and 3D games, and has an intuitive API for managing graphics, audio, and input. Ramon Santamaria is the Founder and Lead Developer of Raylib. He joins …

Learn about fileless crypto stealers written in Python, the ongoing exploitation of recent SimpleHelp vulnerablities, new Apple Silicon Sidechannel attacks a Team Viewer Vulnerablity and an odd QR Code Fileless Python InfoStealer Targeting Exodus This Python script targets Exodus crypto wallet and password managers to steal crypto currencies. It do…

Anduril is a technology defense company with a focus on drones, computer vision, and other problems related to national security. It is a full-stack company that builds its own hardware and software, which leads to a great many interesting questions about cloud services, engineering workflows, and management. Gokul Subramanian is Senior Vice Presid…

This episode shows how attackers are bypassing phishing filter by abusing the "shy" softhyphen HTML entitiy. We got an update from Apple fixing a 0-day vulnerability in addition to a number of other issues. watchTowr show how to exploit an interesting FortiOS vulnerability and we have patches for Github Desktop and Apache Solr An unusal shy z-wasp …

Guest Diary: How Access Brokers Maintain Persistence Explore how cybercriminals utilize access brokers to persist within networks and the impact this has on organizational security. https://isc.sans.edu/forums/diary/Guest+Diary+How+Access+Brokers+Maintain+Persistence/31600/ Critical Vulnerability in Meta's Llama Stack (CVE-2024-50050) A deep dive i…

In today's episode, learn how an attacker attempted to exploit webmail XSS vulnerablities against us. Sonicwall released a critical patch fixing an already exploited vulnerability in its SMA 1000 appliance. Cisco fixed vulnerabilities in ClamAV and its Meeting Manager REST API. Learn from SANS.edu student Anthony Russo how to take advantage of AI f…

QuantStack is an open-source technology software company specializing in tools for data science, scientific computing, and visualization. They are known for maintaining vital projects such as Jupyter, the conda-forge package channel, and the Mamba package manager. Sylvain Corlay is the CEO of QuantStack. He joins the podcast to talk about his compa…

In today's episode, we start by talking about the PFSYNC protocol used to synchronize firewall states to support failover. Oracle released it's quarterly critical patch update. ESET is reporting about a critical VPN supply chain attack and CISA released guidance for victims of recent Ivanti related attacks. Catching CARP: Fishing for Firewall State…

Ableton is a music software and hardware company based in Germany. The company develops Ableton Live which is a digital audio workstation for both improvisation and traditional arrangements. The software is remarkable for successfully blending good UI design with a powerful feature set. This has made it popular with new musicians as well as profess…

This episodes covers how Starlink users can be geolocated and how Cloudflare may help deanonymize users. The increased use of AI helpers leads to leaking data via careless prompts. Geolocation and Starlink https://isc.sans.edu/diary/Geolocation%20and%20Starlink/31612 Discover the potential geolocation risks associated with Starlink and how they mig…

beeps is a startup focused on building an on-call platform for Next.js. The company is grounded in the key insight that Next.js has become a dominant framework for modern development. A key motivation in leveraging Next.js is to create a developer-first experience for on-call. Joey Parsons is the founder and CEO of beeps, and he previously founded …

In this episode, we talk about downloading and analyzing partial ZIP files, how legitimate remote access tools are used in recent compromises and how a research found an SSRF vulnerability in Azure DevOps Partial ZIP File Downloads A closer look at how attackers are leveraging partial ZIP file downloads to bypass file verification systems and plant…

In this episode, we cover how to use honeypot data to keep your offensive infrastructure alive longer, three critical vulnerabilities in SimpleHelp that must be patched now, and an interesting vulnerability affecting many systems allowing UEFI Secure Boot bypass. Leveraging Honeypot Data for Offensive Security Operations [Guest Diary] A recent gues…

In this episode, we explore the efficient storage of honeypot logs in databases, issues with Citrix's Session Recording Agent and Windows Update. Ivanti is having another interesting security event and our SANS.edu graduate student Rich Green talks about his research on Passkeys. Extracting Practical Observations from Impractical Datasets: A SANS I…

Digital forensics is the process of identifying, preserving, analyzing, and presenting electronic data for investigative purposes. It’s often related to addressing cybercrime and is crucial in tracing the origin of breaches, recovering lost data, and security hardening. Emre Tinaztepe is the Founder and CEO of Binalyze which is a cybersecurity comp…

Today's episode covers an odd 12 year old Netgear vulnerability that only received a proper CVE number last year. Learn about how to properly identify OpenID connect users and avoid domain name resue. Good old rsync turns out to be in need of patching and Fortinet: Not sure if it needs patching. Probably it does. Go ahead and patch it. The Curious …

Fallout: London is a 2024 total conversion mod developed by Team FOLON. The mod is based on Fallout 4 by Bethesda Softworks and takes place in a post-apocalyptic rendition of London. The project is remarkable for its ambition and scope, with the small indie team delivering a fully-realized open world RPG. Daniel Morrison Neil led music composition,…

Today, Microsoft Patch Tuesday headlines our news with Microsoft patching 209 vulnerabilities, some of which have already been exploited. Fortinet suspects a so far unpatched Node.js authentication bypass to be behind some recent exploits of FortiOS and FortiProxy devices. Microsoft January 2025 Patch Tuesday This month's Microsoft patch update add…

Heroku is a cloud platform-as-a-service that enables developers to build, deploy, and manage applications. It was founded in 2007 and was acquired by Salesforce in 2010. The platform supports multiple programming languages, including Ruby, Python, Node.js, and Java, and has features such as automated scaling, database monitoring tools, and a stream…

Episode Summary: This episode covers brute-force attacks on the password reset functionality of Hikvision devices, a macOS SIP bypass vulnerability, Linux rootkit malware, and a novel ransomware campaign targeting AWS S3 buckets. Topics Covered: Hikvision Password Reset Brute Forcing URL: https://isc.sans.edu/diary/Hikvision%20Password%20Reset%20Br…

In today's episode, we cover the latest updates in cybersecurity: Windows Defender Enhances Chrome Extension Detection Microsoft's Defender now catalogs Chrome extensions to identify malicious ones. Learn how this improves enterprise security. https://isc.sans.edu/diary/Windows%20Defender%20Chrome%20Extension%20Detection/31574 Multi-OLE Analysis in…

In this episode, we explore the following stories: "Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics" Overview of Redtail's multi-architecture cryptomining malware exploiting vulnerabilities and deploying persistence techniques. URL: Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its …

Over the years, Google has released a variety of ML, data science, and AI developer tools and platforms. Prominent examples include Colab, Kaggle, AI Studio, and the Gemini API. Paige Bailey is the Uber Technical Lead of the Developer Relations team at Google ML Developer Tools, working on Gemini APIs, Gemma, AI Studio, Kaggle, Colab and Jax. She j…

In this episode, we discuss critical vulnerabilities in Ivanti Connect Secure and Policy Secure, command injection risks in Aviatrix Network Controllers, and the risks posed by hijacked abandoned backdoors. Episode Links and Topics: More Governments Backdoors in Your Backdoors https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/…

Video game emulation is the process of using software to replicate the functionality of gaming hardware. It’s a fundamental approach to making older games accessible on modern devices. The Carbon Engine is a tool developed internally at video game publisher and distributor Limited Run Games. It allows a variety of emulators to interface with modern…

In this episode, we dive into active exploitation of a zero-day in SonicWall SSL-VPN, privilege escalation vulnerabilities in Moxa devices, and a BitLocker bypass in Windows 11. We also cover cryptocurrency mining malware hitting PHP servers and the White House's launch of the U.S. Cyber Trust Mark to secure connected devices. Episode Links and Top…

Serverless computing is a cloud-native model where developers build and run applications without managing server infrastructure. It has largely become the standard approach to achieve scalability, often with reduced operational overhead. However, in banking and financial services, adopting a serverless model can present unique challenges. Brian McN…

In this episode of the SANS Internet Storm Center's Stormcast, we cover critical vulnerabilities affecting OpenSSH, BeyondTrust, and Nuclei, including the newly discovered "RegreSSHion" flaw and a bypass vulnerability in Nuclei. We also discuss how malware evasion techniques can impact analysis environments and highlight the dangers of fake exploit…

In this episode of the SANS Internet Storm Center's Stormcast, we cover the latest cybersecurity threats and defenses, including Python-delivered malware, goodware hash sets, SSL/TLS protocol updates, and critical vulnerabilities in ASUS routers and Paessler PRTG. Stay informed and secure your systems! Full details and links to all stories: SwaetRA…