Hello and welcome to the Friday, July 11th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today's episode, which is
brought to you by the SANS.edu Graduate Certificate Program
in Penetration Testing and Ethical Hacking, is recorded
in Jacksonville, Florida. In diaries today we have yet
again one of our undergraduate interns with the SANS.edu BACS
program, right up an observation from Honeypot.
This particular one comes from Sihui Neo and it does show how
attackers are abusing, well, Open SSH servers. In this
case, weak passwords are typically used in order to
penetrate the SSH server, but the attacker here is actually
kind of leaving the SSH server alone. It's only using the SSH
server to then set up SSH tunnels to other systems. And
in this particular case, one of the top targets that
attackers were after was a mail server with Yandex.
Yandex being a large Russian ISP, which also operates a
very large web mail system. So they're probably going to send
some kind of spam to this particular mail server. This
is a rather common technique to use a compromised SSH
server as a proxy, essentially, to forward
requests that obfuscates the actual source of the attack.
Sometimes they can also be sort of daisy-chained, where
you have multiple proxies like this in order to further
obfuscate the actual source of the attack. In the past, even
nation-state actors have sometimes used this technique
via compromised home systems, home routers and the like, in
order to, again, obfuscate their track. And yet another
reason why usually country blocks and the like are not
really helping against any of the little bit more
sophisticated attackers. And then before I forget it again,
I intended to cover this yesterday already, but, well,
I didn't quite make it. FortiGuard released an advisory
alerting its users of a critical vulnerability in the
FortiWeb application. It's a SQL injection vulnerability,
doesn't require any authentication to exploit, and
provides the attacker with full access to the database.
CVSS score here is 9.6, underlining the criticality of
this particular vulnerability. So please patch quickly.
Haven't seen an exploit yet for it, but there may already
be one out there. Haven't really looked that closely.
And then we also have an advisory for Ruckus Virtual
Smart Zone and Ruckus Network Director. That's the
management component behind the Ruckus networking
equipment. And this advisory comes from cert.org, not from
Ruckus themselves, because, well, there are no patches
available for these vulnerabilities. If you look
at the list of vulnerabilities, they are
pretty much sort of everything you expect from expensive
network equipment, like hard -coded secret and SH keys that
are well-known and authenticated arbitrary file
read. So remote code execution vulnerabilities. Pretty much
anything you can sort of imagine. I think they sort of
try to check off the OWASP top 10 here to really give you
good value for your money. Block access to these admin
interfaces, that's always a good idea. So not just for
Ruckus for any equipment like this. Admin interfaces should
never be exposed because they all tend to be pretty crappy.
And AMD released an advisory. Well, this one is about
another issue with patches not being released. AMD has
released an update that solves a TPM attestation failure
issue with recent versions of Windows. The Trusted Platform
module is used to, well, in this example, Adair mentioned,
for example, with games to prevent cheating and the like.
That's sort of where the attestation here comes in. The
problem is that some motherboard manufacturers
apparently didn't distribute the firmware update necessary
to fix this attestation failure issue. And as a
result, affected motherboards will show this behavior where
you have problems with your Windows system that may not
boot. And also with games, like it says here, not being
properly able to validate the integrity of their software.
There is a list here of the different versions of the
firmware, what's vulnerable, what's not vulnerable here.
And also hints how to test if your particular motherboard is
vulnerable. If you run it as issued, there is a recovery
method. They're also outlining here, but it does require
physical access to the system. So it isn't really all that
easy. In particular, if you have BitLocker enabled, you
sort of need your recovery key and the like in order to get
your system working again. Well, and that's it for today.
So thanks again for listening. And next week, of course, I'll
be at Science Fire in DC. If you run into me, I always keep
some Inite Storm Center stickers on me. I'll also do a
keynote on Wednesday, I believe. But double check once
you're on site. Sometimes things sort of shift around a
little bit or I just don't remember correctly. So thanks
for listening and talk to you again on Monday. Bye.
