SANS Stormcast Thursday, September 18th, 2025: DLL Hooking; Entra ID Actor Tokens; Watchguard and NVidia Patches
CTRL-Z DLL Hooking
Attackers may use a simple reload trick to overwrite breakpoints left by analysts to reverse malicious binaries.
https://isc.sans.edu/diary/CTRL-Z%20DLL%20Hooking/32294
Global Admin in every Entra ID tenant via Actor tokens
As part of September s patch Tuesday, Microsoft patched CVE-2025-55241. The discoverer of the vulnerability,
Dirk-jan Mollema has published a blog post showing how this vulnerability could have been exploited.
https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
WatchGuard Firebox iked Out of Bounds Write Vulnerability CVE-2025-9242
WatchGuard patched an out-of-bounds write vulnerability, which could allow an unauthenticated attacker to compromise the devices.
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015
NVidia Triton Inference Server
NVIDIA patched critical vulnerabilities in its Triton Inference Server.
https://nvidia.custhelp.com/app/answers/detail/a_id/5691
--------
6:31
--------
6:31
SANS Stormcast Wednesday, September 17th, 2025: Phishing Resistants; More npm Attacks; ChatGPT MCP abuse
Why You Need Phishing-Resistant Authentication NOW.
The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a simple phishing email can be.
https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290
S1ngularity/nx Attackers Strike Again
A second wave of attacks has hit over a hundred npm-related GitHub repositories. The updated payload implements a worm that propagates itself to other repositories.
https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
ChatGPT s Calendar Integration Can Be Exploited to Steal Emails
ChatGPT s new MCP integration can be used, via prompt injection, to affect software connected to ChatGPT via MCP.
https://www.linkedin.com/posts/eito-miyamura-157305121_we-got-chatgpt-to-leak-your-private-email-activity-7372306174253256704-xoX1/
--------
8:47
--------
8:47
SANS Stormcast Tuesday, September 16th, 2025: Apple Updates; Rust Phishing; Samsung 0-day
Apple Updates
Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities.
https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286
Microsoft End of Life
October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will end.
https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281#:~:text=As%20a%20reminder%2C%20Windows%2010,one%20that%20supports%20Windows%2011.
https://techcommunity.microsoft.com/blog/exchange/t-9-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4366605
Phishing Targeting Rust Developers
Rust developers are reporting similar phishing emails as the emails causing the major NPM compromise last week.
https://github.com/rust-lang/crates.io/discussions/11889#discussion-8886064
Samsung Patches 0-Day
Samsung released its monthly updates for its flagship phones fixing, among other vulnerability, an already exploited 0-day.
https://security.samsungmobile.com/securityUpdate.smsb
--------
6:42
--------
6:42
SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta
Web Searches For Archives
Didier observed additional file types being searched for as attackers continue to focus on archive files as they spider web pages
https://isc.sans.edu/diary/Web%20Searches%20For%20Archives/32282
FBI Flash Alert: Salesforce Attacks
The FBI is alerting users of Salesforce of two different threat actors targeting Salesforce. There are no new vulnerabilities disclosed, but the initial access usually takes advantage of social engineering or leaked data from the Salesdrift compromise.
https://www.ic3.gov/CSA/2025/250912.pdf
VSCode Cursor Extensions Malware
Koe Security unmasked details about a recent malicious cursor extension campaign they call White Cobra.
https://www.koi.security/blog/whitecobra-vscode-cursor-extensions-malware
BSides Augusta
https://bsidesaugusta.org/
--------
6:06
--------
6:06
SANS Stormcast Friday, September 12th, 2025: DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging
DShield SIEM Docker Updates
Guy updated the DShield SIEM which graphically summarizes what is happening inside your honeypot.
https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/32276
Again: Sonicwall SSL VPN Compromises
The Australian Government s Signals Directorate noted an increase in compromised Sonicwall devices.
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/ongoing-active-exploitation-of-sonicwall-ssl-vpns-in-australia
Website Keystroke Logging
Many websites log every keystroke, not just data submitted in forms.
https://arxiv.org/pdf/2508.19825
Über SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Österreich