SANS Stormcast Friday, July 25th, 2025: ficheck.py; Mital and SonicWall Patches

July 24, 2025

Episode Transcript

New File Integrity Tool: ficheck.py
Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions.
https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136
Mitel Vulnerability
Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges.
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009
SonicWall SMA 100 Vulnerability
SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, July 25th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu undergraduate certificate program in cybersecurity fundamentals. Jim's diary today is about a new tool that he wrote. Well, it's really sort of a rewrite of an older tool. There used to be a tool, and while it's still around, fcheck.pl. It's a simple file integrity check tool. The only problem with it is, well, it's old, but it's also written in Perl. And sadly, Perl is fading away a little bit. And this tool did no longer run well in modern Linux distributions. Now, instead of spending the time on fixing the older tool, which again relies on Perl, Jim decided to take a more modern approach and rewrite the tool in Python. It works fast. It performs well. And it still uses the old configuration file. So it should be a pretty simple drop -in replacement. File integrity checking, of course, is always an important part of incident response and also of detection. There are lots of other tools. Tripwire sort of is one of the original commercial tools here. 8 is in a lot of Linux distributions. OSEC, and with that, tools like Wazuh also do file integrity checks. But sometimes it's nice to have sort of a little Python script like this to just drop it on a system, do some quick investigation, maybe excluding some files during an investigation by determining that they have not been altered if you have a good configuration file for that particular system. Well, and then a quick update on SharePoint. Nothing really fundamentally new or different here. The one thing that's happening now that we're seeing in our honeypots is that more and more scans are attempting to hit some of the web shells back doors that have been left behind. I consider them parasitic scans. They're basically looking for already compromised systems and trying to take advantage of them. Some of them are just guessing also file names. For example, one of the early file names being installed or being used for the back door that revealed the machine key was spinstall1.aspx. Well, they're now just varying the number, seeing what happened there. Also, one interesting one here I saw is like error404.1.aspx. Maybe someone trying to fit in with some sort of normal files on the server in order to maybe trick an investigator to miss a particular back door. But that's sort of expected for these kind of attacks where after a day or so, we have parasitic attacks that just look for basically back doors left behind by earlier attacks. And well, then a couple of patches or vulnerabilities that you should be aware of ahead of the weekend. First one is in Mitel's MX-ONE product. It's an authentication bypass that could allow an attacker to get full user admin access to the system, which of course is used to basically manage part of your voice over IP infrastructure. So if you're using Mitel equipment, make sure that if you also use MX-ONE, that it's properly patched and up to date. There's also one of those systems, and Mitel mentions that in its mitigation section, that you shouldn't really expose to the internet. And well, anyway, just keep it patched, keep it locked down and away from any user that's not supposed to connect to it, even internally, if possible. And if you are using SonicWall's SMA100 product line, there is also a critical update for you. Now, I was a little bit on the fence whether or not I should cover this particular vulnerability. It does have a high CVSS score with 9.1. However, it does require admin credentials in order to exploit the vulnerability. The reason I decided to actually cover it is we just had last week a story from Google's Threat Analysis Center that they have observed a lot of compromises of SMA100 devices using stolen credentials. And this would be sort of the vulnerability that you would use then in order to gain persistent access to the device beyond just adjusting a couple of configuration settings. So that's why you probably should take this vulnerability seriously. And well, if you run any device like this, let's just say if you run any SonicWall device, just take that as a quick reminder to double check that the firmware is up to date. Well, and that's it for today. Thanks for liking. Thanks for subscribing. Thanks for leaving good reviews in your favorite podcast platform. That's it for this week. And thanks for listening and talk to you again on Monday. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show