SANS Stormcast Monday, December 1st, 2025: More ClickFix; Teams Guest Access; Geoserver XXE Vulnerablity
Fake adult websites pop realistic Windows Update screen to deliver stealers via ClickFix
The latest variant of ClickFix tricks users into copy/pasting commands by displaying a fake blue screen of death.
https://www.acronis.com/en/tru/posts/fake-adult-websites-pop-realistic-windows-update-screen-to-deliver-stealers-via-clickfix/
B2B Guest Access Creates an Unprotected Attack Vector
Users may be tricked into joining an external Teams workspace as a guest, bypassing protections typically enabled for Teams workspaces.
https://www.ontinue.com/resource/blog-microsoft-chat-with-anyone-understanding-phishing-risk/
Geoserver XXE Vulnerability CVE-2025-58360
Geoserver patched an external XML entity (XXE) vulnerability.
https://helixguard.ai/blog/CVE-2025-58360
--------
5:42
--------
5:42
SANS Stormcast Wednesday, November 26th, 2025: Attacks Against Messaging; Passwords in Random Websites; Fluentbit Vuln; #thanksgiving
Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications
Spyware attacks messaging applications in part by triggering vulnerabilities in messaging applications but also by deploying tools like keystroke loggers and screenshot applications.
https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications
Stop Putting Your Passwords Into Random Websites Yes. Just Stop!
https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/
Fluentbit Vulnerability
https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
Happy Thanksgiving. Next podcast on Monday after Thanksgiving.
--------
6:07
--------
6:07
SANS Stormcast Tuesday, November 25th, 2025: URL Mapping and Authentication; SHA1-Hulud; Hacklore
Conflicts between URL mapping and URL based access control.
Mapping different URLs to the same script, and relying on URL based authentication at the same time, may lead to dangerous authentication and access control gaps.
https://isc.sans.edu/diary/Conflicts%20between%20URL%20mapping%20and%20URL%20based%20access%20control./32518
Sha1-Hulud, The Second Coming
A new, destructive variant of the Shai-Hulud worm is currently spreading through NPM/Github repos.
https://www.koi.ai/incident/live-updates-sha1-hulud-the-second-coming-hundred-npm-packages-compromised
Hacklore: Cleaning up Outdated Security Advice
A new website, hacklore.org, has published an open letter from former CISOs and other security leaders aimed at addressing some outdated security advice that is often repeated.
https://www.hacklore.org
--------
6:11
--------
6:11
SANS Stormcast Monday, November 24th, 2025: CSS Padding in Phishing; Oracle Identity Manager Scans Update;
Use of CSS stuffing as an obfuscation technique?
Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines
https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510
Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day
Early exploit attempts for the vulnerability were part of Searchlight Cyber s research effort
https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/
ClamAV Cleaning Signature Database
ClamAV will significantly clean up its signature database
https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html
--------
4:59
--------
4:59
SANS Stormcast Friday, November 21st, 2025: Oracle Idendity Manager Scans; SonicWall DoS Vuln; Adam Wilson (@sans_edu) reducing prompt injection.
Oracle Identity Manager Exploit Observation from September (CVE-2025-61757)
We observed some exploit attempts in September against an Oracle Identity Manager vulnerability that was patched in October, indicating that exploitation may have occurred prior to the patch being released.
https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506
https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
DigitStealer: a JXA-based infostealer that leaves little footprint
https://www.jamf.com/blog/jtl-digitstealer-macos-infostealer-analysis/
SonicWall DoS Vulnerability
Sonicwall patched a DoS vulnerability in SonicOS
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016
Adam Wilson: Automating Generative AI Guidelines: Reducing Prompt Injection Risk with 'Shift-Left' MITRE ATLAS Mitigation Testing
Über SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Österreich