Hello and welcome to the Friday, December 5th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from Dallas,
Texas. And this episode is brought to you by the SANS.edu
graduate certificate program in cloud security. In diaries
today we do have one of our undergraduate interns again,
Jackie Nguyen, talking about one of the attack observations
that she retrieved from her honeypot. In this particular
case, well, we have an ssh scan. So the initial entry
vector here was a weak username and password. What
made this a little bit interesting is that the
request appeared to come from an Indonesian government
system. Then, of course, the question is always, can you
somehow imply intent if such an address is used? Well,
Jackie here looked closer at the particular sample. It was
fairly standard, sort of a standard SSH warm that we have
so many of it. So her conclusion here was that this
was not actually any kind of government organized or
attributable event, but instead likely just another
compromised system that just happened to be inside this
particular government's network. Of course, packets
themselves usually don't speak to intent. We would have to
observe more what the particular attack was actually
done after, but in this case, it didn't really look like it
was anything special. In the past, some government actors,
for example, have used similar techniques to attack home
routers, the like, in order to then build more sophisticated
attack networks. Well, that's just a quick update on the
React vulnerability. There are now working proof of concept
exploits out there that have been verified that can easily
be adjusted in order to launch arbitrary code on vulnerable
systems. So at this point, if you find a vulnerable system,
assume compromise. We don't see widespread exploitation
yet in our honeypots. However, it's not that hard to sort of
know first scan for vulnerable systems and or possibly
vulnerable systems and then just hit those specific
systems. So again, assume compromise for any guidance on
how to figure out if your particular system is
vulnerable or not. The first stop should be the React blog
post. There are a number of people that have published
scanning scripts, either host based or network based. As
usual, be careful what software you're downloading,
what you're running and do download these scripts only
from what you consider a reputable source. Also,
various standard vulnerability scanners have included modules
to look for this particular vulnerability.
And in the past, I've spoken quite frequently about
vulnerabilities in VPN gateways. Well, we have yet
another one. But here for a change, it's not sort of one
of these big name brands we have been talking about so
often. The Japanese cert in this particular case is
warning about ongoing active exploitation of a recently
patched vulnerability in the array networks array AG series
VPN gateway. I'm personally not familiar with this
particular gateway. And the main reason I cover it here is
that it's not just the big name brands that you always
see in the news that have these vulnerabilities. It's a
smaller players as well. In this particular case, it
appears to be some kind of PHP vulnerability. And as so
often, the attacker uses that then to upload a web shell to
the gateway. So definitely make sure that you're patched.
And if your VPN gateway wasn't in the news recently, still a
good idea to double check that you are up to date. Well, and
that's it for today. Thanks for listening. Thanks for
subscribing. And thanks for liking this podcast. And as
always, special thanks if you're leaving a good comment
in your favorite podcast platform and talk to you again
on Monday. Bye.
