SANS Stormcast Friday, October 24th, 2025: Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit

October 23, 2025

SANS Stormcast Friday, October 24th, 2025: Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit

Episode Transcript

Infostealer Targeting Android Devices
This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram.
https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414
Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts.
https://sansec.io/research/sessionreaper-exploitation
Patch for BIND and unbound nameservers CVE-2025-40780
The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator.
https://kb.isc.org/docs/cve-2025-40780
WSUS Exploit Released CVE-2025-59287
Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability
https://hawktrace.com/blog/CVE-2025-59287

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, October 24th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in incident response. Info Steelers for Android written in Python. Apparently, that's a thing and Xavier came across an example. This particular Info Stealer takes advantage of Termux, a terminal emulator that is available for Android. This terminal emulator also includes utilities that allow you to access things like, for example, the address book and such from Android. And that then produces a simple to parse JSON formatted output. And that is being exfiltrated by this Info Stealer. Xavier isn't sure how sort of the entire infections change starts here in order to run the Info Stealer. The victim essentially already has Termux running. It's possible that the attacker uses social engineering or essentially just counts on victims that already have these tools installed on their Android phone. An e-commerce security company, SanSak, has observed the active exploitation of a recently patched Adobe Commerce vulnerability. Adobe Commerce, also known as Magento, is an e-commerce application to always focus on when we have Adobe patches because in the past, vulnerabilities in this application have repeatedly been abused and have been exploited. So no big difference here for this vulnerability. It also goes by the name of Session Reaper. The problem is that an attacker is able to basically create a malicious session and then take advantage of a destabilization vulnerability that will then execute arbitrary code. Proof of concept code has been made available, has been made public. So it's no big surprise here that this vulnerability is actively being exploited. SanSak also states that only about a third, 38% of stores have actually applied the patch that was released five weeks ago. This particular patch was released out of order as an emergency patch. It was not released as part of the patch Tuesday update that I usually mention here in the podcast. Then we have a vulnerability that just doesn't seem to go away and that's DNS spoofing. It comes back like every few years, this time in form of a weak random number generator. Today, the Internet System Consortium, who is behind the name server Bind, as well as the Unbound Project, that's a recursive server, you often see being used in firewalls and gateways and the like. The problem here is that due to the flaw in the pseudorandom number generator used to create random numbers to select ports and query IDs, it is possible to actually predict both to some extent and then, well, conduct spoofing attacks. Not really clear how easy it is. Both flaws, Unbound as well as Bind, were reported by researchers out of Israel. Haven't seen sort of any paper or so yet where they discuss the exact nature of the flaw. I hope they give us all some time to apply patches if it's really severe. If it's just sort of making it more likely to exploit the vulnerability, then it may not be such a big deal. Because, well, if it takes 4 billion or 40 billion packets or whatever it takes with a good random number generator, it probably is still not a very likely attack to see exploited. DNSSEC is, of course, always a good idea to prevent spoofing, but adoption of that is not really sort of at the forefront of most enterprises. And then we do have a proof-of-concept exploit for a rather nasty Windows Server Update service remote code execution vulnerability. This vulnerability was patched a week ago, a little more a week ago, as part of the October Microsoft Patch Tuesday. The vulnerability is rather straightforward to exploit. It's one of those deserialization vulnerabilities, and it affects the cookie parameter. Now, this is not a cookie header. This cookie, this authorization cookie, is sent as part of a SOAP payload in this particular case. But the effect is the same. It does allow object code execution. And with this proof-of-concept now exactly explaining how to take advantage of this vulnerability, well, you better get your servers patched now. Well, and this is it for today. Remember, Saturday morning I'll be speaking in Augusta at the B -Sites conference. So, hope to see some of you there. And that's it for today. Thanks for liking and subscribing to this podcast. And talk to you again on Monday. Bye. Bye. Thank you.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich