SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details

September 26, 2025

SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details

Episode Transcript

Webshells Hiding in .well-known Places
Our honeypots registered an increase in scans for URLs in the .well-known directory, which appears to be looking for webshells.
https://isc.sans.edu/diary/Webshells%20Hiding%20in%20.well-known%20Places/32320
Cisco Patches Critical Exploited Vulnerabilities
Cisco released updates addressing already-exploited vulnerabilities in the VPN web server for the ASA and FTD appliances.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
XCSSET Evolves Again
Microsoft detected a new XCSSET variant, an infostealer infecting X-Code projects.
https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-again-analyzing-the-latest-updates-to-xcssets-inventory/
Exploitation of Fortra GoAnywhere MFT CVE-2025-10035
watchTowr analyzed the latest GoAnywhere MFT vulnerability and exploits used against it.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Friday, September 26, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Las Vegas, Nevada. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Industrial Control System Security. Our honeypots registered an increase in scans for files in the .well -known directory and the URLs look like they're probably looking for web shells. The .well-known directory is of course well in Unix hidden with the dot at the beginning of the name of the directory, but it is commonly used for information files like security.txt or also to confirm the ownership of a website with the ACMI protocol if you're using the web-based authentication for this protocol to obtain certificates. Probably best to keep an eye on this directory. If anybody finds an interesting web shell there, would love to take a quick look at what this web shell does, but not necessarily expecting anything super sophisticated or different here. Well, and then we got more news from Cisco. Yesterday I mentioned the already exploited SNMP vulnerability. It wasn't really all that exciting because in order to exploit that vulnerability, you must already have admin credentials. But we now have two additional vulnerabilities that apparently are also already being exploited and some say the exploitation goes about one year back. The first vulnerability is really critical. It does allow for arbitrary code execution on the ASA, that's the adaptive security blinds, as well as on FTD, the firewall threat defense. And in order to exploit this vulnerability, an attacker just needs normal VPN credentials as any user. So that's something that's likely much easier to obtain. And then via the VPN website, they're then able to compromise the device and execute code as root. So this is not exactly like a 10.0 vulnerability in the CSS score, but certainly something that doesn't require a lot of prerequisites, just the VPN access and any credentials. The second vulnerability vulnerability isn't rated as medium and is well only an authentication bypass, but does allow an attacker to access your URL endpoints that shouldn't really be accessible without authentication. Patches have been made available, but given that the vulnerability has already been exploited now for a while, it's advisable that you double check that your device has not already been compromised. Cisco, in addition to these advisories, also released a write-up on the attacks that they have seen. So has SISA. The attacks apparently have so far been more targeted and limited, so not widespread. And so far, there's a good chance that you haven't been hit yet, but we all know that once things like this get public and are being patched, we may see more exploitation pretty soon. And Microsoft published an analysis of the latest variations of what they're calling the XCS set malware. This is an InfoStealer targeting developers using Xcode, so Mac developers. One of the tricky things about this particular InfoStealer is that it does infect projects the developer is working on, and then also spreads by other developers importing these projects into Xcode. So this basically targets, again, developers. Also appears to be targeting mostly cryptocurrency users. One of the more prominent payloads in this malware does watch the clipboard, and if it does detect any crypto coin -related information, it will exfiltrate it. Just a side note here, there's also ongoing news about various phishing attacks against PiPi and other developer groups. So be aware, developers are still a big target. And watchTowr analyzed the latest Forda Go Anywhere MFT vulnerability. I've mentioned it in a prior podcast. They also took a look at some of the exploits that are being used against this vulnerability in the wild, and list a number of indicators of compromise. So if you're using this product, this is very helpful in order to make sure that you haven't already been a victim as you are patching this vulnerability. Well, and this is it for today. So thanks again for listening. Thanks for liking and recommending this podcast. As always, also special thanks for leaving good comments in the podcast. I'll see you next time. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich