Talk With an Expert

Internet Storm Center Tech Corner

SANS Internet Storm Center StormCast Friday, May 23, 2025

Backup Connectivity; Windows 2025 dMSA Abuse; Samlify Vulnerability

https://isc.sans.edu/podcastdetail/9464

Resilient Secure Backup Connectivity for SMB/Home Users

Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse.

https://isc.sans.edu/diary/Resilient+Secure+Backup+Connectivity+for+SMBHome+Users/31972

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to.

https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949

The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user

https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass

SANS Internet Storm Center StormCast Thursday, May 22, 2025

Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome

https://isc.sans.edu/podcastdetail/9462

New Variant of Crypto Confidence Scam

Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive ÒVIPÓ memberships to withdraw the money.

https://isc.sans.edu/diary/New+Variant+of+Crypto+Confidence+Scam/31968

Malicious Chrome Extensions

Malicious Chrome extensions mimic popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets

https://dti.domaintools.com/dual-function-malware-chrome-extensions/

Malicious VS Code Extensions

Malicious Visual Studio Code extensions target crypto developers to trick them into installing them to exfiltrate developer secrets.

https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#indicators-of-compromise

SANS Internet Storm Center StormCast Wednesday, May 21, 2025

Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulnerability

https://isc.sans.edu/podcastdetail/9460

Researchers Scanning the Internet

A ‘newish’ RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today

https://isc.sans.edu/diary/Researchers+Scanning+the+Internet/31964

Cloudy with a change of Hijacking: Forgotten DNS Records

Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to.

https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/

Message signature verification can be spoofed CVE-2025-47934

A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications.

https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive