Hello and welcome to the Tuesday, June 10th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and this episode brought to you by
the SANS.edu Master's Degree Program in Information
Security Engineering is recorded in Jacksonville,
Florida. Well, in diaries today, we do have a little
tool introduction by Russ. Russ introduces us to OctoSQL,
a tool I haven't used yet myself, but actually sounds
like something that I like. It essentially allows you to read
in files in various text file formats like JSON, CSV, tab
delimited and the like. And then it allows you to write
SQL queries against the content of these files. So
that makes it really handy to have sort of a simplified
query language, no matter what the particular file format is
that you're reading into. And the example that Russ here
presents is using the NVD JSON database and then writing
queries against this. For example, figuring out various
products, what their vulnerabilities are. So it
doesn't just read in the vulnerabilities, also like the
product identifier database from NVD in order to then be
able to join the two. So interesting tool. And like I
said, certainly something that I'll probably give a try as
well. Well, yesterday I talked about DVR vulnerability in
Mirai, which I mentioned, well, is sort of nothing
really that unique and new. But, well, today I have to
talk again about Mirai. And this time it's a little bit
more interesting in that Mirai now apparently is also
exploiting Wazuh-related vulnerability. If you're not
familiar with Wazuh, it's actually a real great open
source tool. It is an open source endpoint detection
response tool. So monitor systems, does some log
aggregation alike. But, yes, back in April, I think it was,
they had a severe vulnerability. Don't expose
these kind of dashboards and complex tools to the Internet.
Of course, something like Wazuh, the tricky part is that
hosts in your network have to connect to its API. So there
is some restriction around what kind of firewall rules
and such you can put in place around these tools in order to
really isolate them well from exploitation. And, yeah, the
fact that Mirai is now taking advantage of this
vulnerability just shows that this is very straightforward,
very simple to exploit vulnerability. So if Mirai
knows about it, well, everybody else in the world
who may have a little bit more access to your network already
is exploiting it as well. Well, and then we have another
recursive resolver that the public can use. This one is a
little bit different. It's run by a government entity right
now. And that's the European Union. Now, the European Union
runs it right now. It will configure it, set it up. They
hope to hand it over to a yet -to-be-named private entity
that then will also fund this service. Given that it was
created by the European Union, that means that it's
specifically sort of built around some of the privacy
requirements that come with that. And they offer otherwise
of the standard services that usually these public resolvers
are offering, where they offer various levels of filtering
based on what particular resolver you select. Whenever
you configure a recursive resolver like this, of course,
the key issue is do you trust a particular entity that is
running this particular recursive resolver? We do have
a number of existing ones, like the famous ones run by
Google, Cloudflare, Cisco, and the like, that are already
offering very similar services, also similar levels
of filtering. One of the advantages, in addition to the
filtering, if you want to do that, is, of course, also that
these resolvers tend to be a little bit faster than setting
up your own internal recursive resolver. Because you're kind
of, you know, gaining some speed from all data that they
may have already cached in their system. Well, I stopped
over the last couple years to talk about WordPress add-on of
Waterbleach. Just because there are so many, and I think
it's really brave if you're still hosting WordPress
yourself with a bunch of different packages installed.
But lately, things apparently have been even more
complicated for WordPress users with some legal issues
between some of the big backers behind WordPress. And
that made it particularly difficult to keep all of your
WordPress packages and add-ons up to date. Well, the Linux
Foundation now stepped forward together with some people that
manage and create WordPress packages to create this new
Package Manager project, FAIR, that's intended to provide you
with an independent way to keep your WordPress packages
up to date. So, if you are running WordPress, take a look
at this. Probably will make it a little bit easier to keep
WordPress running safely for you.
Well, and that's it for today. So, thanks for listening.
Thanks for recommending this podcast. Thanks for leaving
reviews on Apple Podcasts or whatever platform you're
using. Remember, there's a video format on YouTube as
well as, for example, on Alexa. You should be able to
include this podcast as part of your daily flash briefing.
Thanks, everybody, and talk to you again tomorrow. Bye.
