Hello and welcome to the Friday, October 31st, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in
cybersecurity leadership. This week I noticed some new HTTP
request headers in our honeypot logs and these HTTP
request headers are related to bug bounty programs. There is
an xrequest purpose header, the value is just research for
this header, and then also specific headers for specific
bug bounty programs like HackerOne and BugCrowd. There
are a couple of bug bounties that I was able to find that
actually ask researchers to use these specific headers. As
always, when you talk request headers like this, nothing is
guaranteed. It's very easy for someone, of course, to
impersonate a researcher using those headers. And then, of
course, there is no guarantee that researchers will actually
use these headers as they're conducting scans for their bug
bounty research. I assume that companies participating in
these bug bounty programs try to use these headers to maybe
figure out how many of the requests that they're seeing
are related to bug bounties, and at least to be able to
notify researchers that are well behaved, that are
actually using the correct headers in case something is
going wrong here, in case they're like a denial of
service or something like this, so they can reach out to
the researcher and ask them maybe to stop their scans or
throttle them as necessary. If you're interested in curiosity
here, I think the value of it is overall limited and
certainly nothing that should be used to filter or not
filter certain requests. And Proton, the company behind the
Proton email service as well as the Proton VPN, has now
come up with an interesting new project. That's the Data
Breach Observatory. The goal of this Data Breach
Observatory is to shed a light on breaches that may not have
been reported to public or where the breached entity is
actually even unaware themselves that they got
breached. They have the initial website up here, and
so far they have about 800 breaches listed. They say the
top businesses that they're seeing exposed here are retail
in particular, but then also small, medium-sized
businesses, which I believe these are common targets. And
of course, particular small, medium-sized businesses may
either not have the capability to actually detect the attack
and the breach, or they may feel like they can sort of
slip underneath the radar. In the past, sadly, I've often
observed that actually the best thing a company can do is
not to talk about the breach, because then the news won't
pick up on it, typically in particular for smaller
companies like this. And the breach will overall go
unnoticed without too much impact on the company itself.
So interesting approach here. They're claiming they're
looking at various dark web sources in order to compile
that data. We'll have to see how it all works out, and I
hope they, at the very least, are notifying and contacting
any organizations that they find breached here. And
government cybersecurity agencies from the US, Canada,
and Australia have collaborated on a pretty neat
document. Microsoft Exchange Server Security Best
Practices. The document is not very much in-depth. It sort of
just covers different topics that you should consider as
you are configuring and maintaining Exchange. But the
real value I find in this document is the long list of
references that then leads you to additional guidelines on
how to accomplish some of the suggested things, like
configuring authentication correctly, enabling Kerberos,
and doing all the other good things with a Microsoft
Exchange server. It has been a huge target in the past. Of
course, one of the items on the list here is also make
sure that you're not using an end-of-life version of
Microsoft Exchange, which, of course, we just had the issue
where 2019 and such did become end-of-life with the last
Microsoft patch Tuesday. And then we have a new patch for
users of MoveIt Transfer. The reason I mentioned it today is
that this is probably something that you may want to
get a handle on before the weekend. MoveIt has been the
target of compromise in the past and has been used to
compromise networks for ransomware and the like. There
is very little detail about this vulnerability. It just
says of an uncontrolled resource consumption
vulnerability. It does imply that it's possible to execute
arbitrary code with this vulnerability. It's likely
sort of one of those webshell -style vulnerabilities where
you can upload a webshell and execute it. Hard to tell
whether or not it does require authentication or not. They
did assign it a CVSS score of 8.2, which is high. It's not
critical. Still something that you probably want to get ahead
of and follow here progress's guidance in how to address
this vulnerability. Well, and that's it for today. So thanks
again for listening. Thanks for liking and subscribing to
this podcast. And as always, talk to you again on Monday.
Bye. How long have you been using the organization? Thanks
for following the presentation. America Global
various nosemkilometre你们 But you Thank you.
