Talk With an Expert

Internet Storm Center Tech Corner

Internet Storm Center StormCast Friday, May 2, 2025

More Steganography; Malicious Python Packages Gmail C2; BEC to Steal Rent Payments

https://isc.sans.edu/podcastdetail/9434

Steganography Analysis With pngdump.py: Bitstreams

More details from Didier as to how to extract binary content hidden inside images

https://isc.sans.edu/diary/Steganography+Analysis+With+pngdumppy+Bitstreams/31904

Using Trusted Protocols Against You: Gmail as a C2 Mechanism

Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use Gmail as a command and control channel by sending email to hard coded Gmail accounts

https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism

Security Brief: French BEC Threat Actor Targets Property Payments

A French business email compromise threat actor is targeting property management firms to send emails to tenants tricking them into sending rent payments to fake bank accounts

https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments

SANS.edu Research Journal

https://isc.sans.edu/j/research

Internet Storm Center StormCast Thursday, May 1, 2025

SonicWall Attacks; Spoofing Adversary in the Middle Attacks; Cached Windows RDP Credentials

https://isc.sans.edu/podcastdetail/9432

Web Scanning for SonicWall Vulnerabilities CVE-2021-20016

For the last week, scans for SonicWall API “login” and “domain” endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials.

https://isc.sans.edu/diary/Web+Scanning+Sonicwall+for+CVE202120016/31906

The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks

ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates.

https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/

Windows RDP Access is Possible with Old Credentials

Credential caching may lead to Windows allowing RDP logins with old credentials.

https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/

Internet Storm Center StormCast Wednesday, April 30, 2025

SMS Attacks; Apple Airplay Vulnerabilities

https://isc.sans.edu/podcastdetail/9430

More Scans for SMS Gateways and APIs

Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people’s credentials.

https://isc.sans.edu/diary/More+Scans+for+SMS+Gateways+and+APIs/31902

AirBorne: AirPlay Vulnerabilities

Researchers at Oligo revealed over 20 weaknesses they found in Apple’s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates.

https://www.oligo.security/blog/airborne

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive