Talk With an Expert

Internet Storm Center Tech Corner

SANS ISC StormCast Tuesday, March 18, 2025

Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation

https://isc.sans.edu/podcastdetail/9368

Static Analysis of GUID Encoded Shellcode

Didier explains how to decode shell code embedded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobalt Strike configuration information from the code.

https://isc.sans.edu/diary/Static+Analysis+of+GUID+Encoded+Shellcode/31774

SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries

xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities.

https://workos.com/blog/samlstorm

One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild

A just made public deserialization vulnerability in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserialization vulnerabilities.

https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

CSS Abuse for Evasion and Tracking

Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users

https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/

SANS ISC Stormcast Monday, March 17, 2025

Mirai Makes Mistakes; Compromised Github Action; ruby-saml vulnerability; Fake GitHub Security Alert Phishing

https://isc.sans.edu/podcastdetail/9366

Mirai Bot Now Incorporating Malformed DrayTek Vigor Router Exploits

One of the many versions of the Mirai botnet added some new exploit strings attempting to take advantage of an old DrayTek Vigor Router vulnerability, but they got the URL wrong.

https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vigor+Router+Exploits/31770

Compromised GitHub Action

The popular GitHub action tj-actions/changed-files was compromised and leaks credentials via the action logs

https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

ruby-saml authentication bypass

A confusion in how to parse SAML messages between two XML parsers used by Ruby leads to an authentication bypass in saml-ruby.

https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/

GitHub Fake Security Alerts

Fake GitHub security alerts are used to trick package maintainers into adding OAUTH privileges to malicious apps.

https://www.bleepingcomputer.com/news/security/fake-security-alert-issues-on-github-use-oauth-app-to-hijack-accounts/

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive