Talk With an Expert

Internet Storm Center Tech Corner

Internet Storm Center StormCast Tuesday, April 29, 2025

SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC

https://isc.sans.edu/podcastdetail/9428

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics

Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Windows  System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data.

https://isc.sans.edu/diary/SRUMDUMP+Version+3+Uncovering+Malware+Activity+in+Forensics/31896

Novel Universal Bypass For All Major LLMS

Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models.

The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This  Policy Puppetry  can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy.

https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/

CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago

The old  Juice Jacking  is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it.

https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf

SANS @RSA: https://www.sans.org/mlp/rsac/

Internet Storm Center StormCast Monday, April 28, 2025

Image Steganography; SAP NetWeaver Exploited; Any.Run Reports False Positive Uploads

https://isc.sans.edu/podcastdetail/9426

Example of a Payload Delivered Through Steganography

Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary.

https://isc.sans.edu/diary/Example+of+a+Payload+Delivered+Through+Steganography/31892

https://isc.sans.edu/diary/Steganography+Analysis+With+pngdumppy/31894/

SAP NetWeaver Exploited CVE-2025-31324 

An arbitrary file upload vulnerability in SAP s NetWeaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of NetWeaver must turn off the development server alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue.

https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/

Any.Run Reports False Positive Uploads

Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded.

https://x.com/anyrun_app/status/1915429758516560190

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive