Hello and welcome to the Friday December 12th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ulrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in
Cybersecurity Engineering. AI, of course, is the big issue
that everybody is worried about and playing with these
days. And well, as a first touch point, you usually just
use one of the public models like ChatGPT and such to get a
little bit experience with what these tools can do. But
it can be quite intimidating to go a step further and try
to run some of these models locally and play sort of in a
more intimate atmosphere with these particular models. Well,
Guy now wrote up a quick diary showing how to install Gamma 3
on a reasonably small home computer. In this particular
case, he used one of the new Horizon chips and one of those
mini computers that have become quite popular these
days for home labs and shows a couple of the pitfalls here,
some of the problems that he ran into trying to make this
all run in the Proxmox virtualization environment and
how to configure it. And then in the end, also how to use
these tools. Certainly an interesting experiment and
something that gives you a little bit more insight in how
these tools sort of work on the backend. And then we do
have an update for Chrome with yet another already exploited
vulnerability being addressed here. And this vulnerability
was, well, by some described a little bit sort of as a
mystery vulnerability. And it's certainly a little bit an
odd one in that there is no CVE number for this
vulnerability. There's also absolutely no detail what it's
all about. Now, Google usually at least sort of has these one
liners that describe a little bit something about the
vulnerability. But here it just says that's under
coordination. What I believe is happening here, and that's
where the coordination part comes from, that this
particular vulnerability likely affects not just Google
Chrome, there are likely either other browsers, maybe
it's one of the underlying libraries that's vulnerable
here that is being exploited. So what's possibly happening
is that they first need to coordinate with other vendors
who are also affected by this issue. before they're going to
release any additional details and before a CVE number will
be signed. Also doesn't state who actually reported this
vulnerability. So will be interesting. Maybe next week
we'll learn more about this vulnerability. Until then,
just keep Chrome updated. Well, this week we already had
a couple SOAP related stories. We have now one more from
watchTowr Labs and that's SOAP Pwn or SOAP Pwn, however
you pronounce this, which is I think sort of a must read
article for anybody who is developing in dotnet. Also pen
testers probably want to take a close look at this. The
problem here is a fundamental weakness in how dotnet deals
with HTTP requests or URL requests I should say and how
this may actually lead in some cases to arbitrary file write
or even to remote code execution vulnerabilities. In
particular as SOAP is being implemented. So SOAP is the
enterprise API language. And one of the problems here is
that if an attacker can control the URL that a user is
connecting to, if this URL starts with file So it's
actually referencing a file, not like an HTTP web page,
well, dotnet has different classes that it uses for to
deal with these requests, and they may be cast into one each
other, which then results in the user actually writing
files on the server instead of well just requesting or
posting some data from an HTTP API, which is interesting. And
in some cases that watchtower shows here, like the like for
example, they have a proof of concept exploit for this
vulnerability in Barracuda system. Well, it is
exploitable. The tricky part here is it really depends on
how a developer implemented these particular API's.
Microsoft is not thinking about fixing this problem.
They're saying it's really more a problem in how users
are using their tools. So not so much a problem with how
these tools are working. watchTowr here is disagreeing
with this a little bit, but still, you know, as a internet
developer, you definitely should be aware of this and
should take a look at what watchtower is demonstrating.
And then we got a report from CISA summarizing some recent
activity by pro-Russian hacktivists. Now, hacktivists,
of course, are not necessarily state-sponsored actors, but
more individuals who do it out of, well, the good or bad of
their own heart. What I sort of thought is interesting
about this report is it's labeled as being about global
critical infrastructure. And when we're talking global
critical infrastructure, we are thinking about, you know,
power systems and things like this. That's part of the
report, but it also covers attacks against some smaller
businesses, basically factories and such that may
not necessarily see themselves as sort of operating big OT
networks and being part of critical infrastructure, but
have many of the same vulnerabilities, maybe more so
because of the less mature IT and security organization that
you often find in these smaller companies. So
definitely worthwhile looking at this particular if you are
working for any kind of manufacturing company that,
for example, does have sensors and the like that are remotely
accessible and could potentially affect your
production line, for example. Well, and this is it for
today. So thanks for listening. Thanks for liking,
subscribing. And I saw a couple of you did leave
comments in Apple's podcast app. So thanks a lot for that
and talk to you again on Monday. Bye.
