Talk With an Expert

Internet Storm Center Tech Corner

SANS ISC StormCast Friday, March 21, 2025

New Data Feeds; SEO Spam; Veeam Deserialization; IBM AIX RCE

https://isc.sans.edu/podcastdetail/9374

Some New Data Feeds and Little Incident

We started offering additional data feeds, and an SEO spammer attempted to make us change a link from an old podcast episode.

https://isc.sans.edu/diary/Some+new+Data+Feeds+and+a+little+incident/31786

Veeam Deserialization Vulnerability

Veeam released details regarding the latest vulnerability in Veeam, pointing out the insufficient patch applied to a prior deserialization vulnerability.

https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

IBM AIX Vulnerability

The AIX NIM service is vulnerable to an unauthenticated remote code execution vulnerability

https://www.ibm.com/support/pages/node/7186621

SANS ISC StormCast Thursday, March 20, 2025

Cisco Smart Licensing Attacks; Vulnerable Drivers again; Synology Advisories Updated

https://isc.sans.edu/podcastdetail/9372

Exploit Attempts for Cisco Smart Licensing Utility CVE-2024-20439 CVE-2024-20440

Attackers added last September's Cisco Smart Licensing Utility vulnerability to their toolset. These attacks originate most likely from botnets and the same attackers are scanning for a wide range of additional vulnerabilities. The vulnerability is a static credential issue and trivial to exploit after the credentials were published last fall.

https://isc.sans.edu/diary/Exploit+Attempts+for+Cisco+Smart+Licensing+Utility+CVE202420439+and+CVE202420440/31782

Legacy Driver Exploitation Through Bypassing Certificate Verification

Ahnlab documented a new type of "bring your own vulnerable driver" vulnerability. In this case, an old driver used by an anit-malware and anti-rootkit system can be used to shut down arbitrary processes, including security related processes.

https://asec.ahnlab.com/en/86881/

Synology Vulnerability Updates

Synology updates some security advisories it release last year adding addition details and vulnerable systems.

https://www.synology.com/en-global/security/advisory/Synology_SA_24_20 (Synology-SA-24:20 DSM)

https://www.synology.com/en-global/security/advisory/Synology_SA_24_24 (Synology-SA-24:24 Synology Camera)

SANS ISC StormCast Wednesday, March 19, 2025

Python DLL Side Loading; Tomcat RCE Correction; SAML Roulette; Windows Shortcut 0-Day

https://isc.sans.edu/podcastdetail/9370

Python Bot Delivered Through DLL Side-Loading

A "normal", but vulnerable to DLL side-loading PDF reader may be used to launch additional exploit code

https://isc.sans.edu/diary/Python+Bot+Delivered+Through+DLL+SideLoading/31778

Tomcat RCE Correction

To exploit the Tomcat RCE I mentioned yesterday, two non-default configuration options must be selected by the victim.

https://x.com/dkx02668274/status/1901893656316969308

SAML Roulette: The Hacker Always Wins

This Portswigger blog explains in detail how to exploit the ruby-saml vulnerability against GitLab.

https://portswigger.net/research/saml-roulette-the-hacker-always-wins

Windows Shortcut Zero Day Exploit

Attackers are currently taking advantage of an unpatched vulnerability in how Windows displays Shortcut (.lnk file) details. Trend Micro explains how the attack works and provides PoC code. Microsoft is not planning to fix this issue

https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive