SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;

August 03, 2025

SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;

Episode Transcript

Scans for pop3user with guessable password
A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled.
https://isc.sans.edu/diary/Legacy%20May%20Kill/32166
Possible Sonicwall SSL VPN 0-Day
Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
PAM Based Linux Backdoor
For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, August 4th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Incident Response. Nothing groundbreaking today as far as Internet Storm Center data goes. Well, the one little bit odd thing we had is scans for SSH and Telnet using the username POP3 user and the password. Well, just the username or 123456. Just a reminder that, well, yes, those old protocols may still be out there. So if you no longer use POP, make sure you don't just disable the POP3 server, but also, well, remove associated accounts if possible or make sure they're at least not able to log in. Because, well, given that they are probably 10 or so years old, who knows what the password is. And it may be something stupidly simple. Also interesting here, the network where these particular scans originated from, well, it's managed by Unmanaged according to WHOIS. That appears to be the official name of that particular network service provider. So Unmanaged.uk. It's a UK provider, at least according to the records. Don't think they're doing much in terms of managing abuse and the like. These are often also some bulletproof hosting providers. Haven't seen this particular one before, but often I don't really bother looking at the WHOIS record. So definitely, well, like I said, maybe just block that particular network. Haven't really seen anything too useful in that network. And ArcticWolf published a blog post stating that they suspect there may be a serode vulnerability that hasn't really been fully described yet that is being used by ransomware actor Akira to breach SonicWall SL VPN networks. They say they haven't really found any sort of definite evidence that this is a serode, but affected devices were fully patched. They had their credentials rotated and multi-factor authentication enabled. Now, to put this a little bit in context, we also had some reports recently that the SonicWall instances that were fully patched were breached based on credentials that got leaked in prior breaches using older vulnerabilities before this particular device was patched. This may include multi-factor authentication because the seat for the one -time password that's being used here for multi-factor authentication could also be stolen using these prior vulnerabilities. So, really not clear what's going on here. ArcticWolf does suggest that you disable the SonicWall SSL VPN that appears to be sort of the critical component here that this SSL VPN has to be enabled in order for these devices to be exploited. So, lots of unknowns here. That's always a little bit unsettling, but I would definitely recommend that you at least take a very close look at these devices. And if possible, disable SSL VPN until we hear more from SonicWall directly. And researchers from Nextron Systems discovered an interesting new PAM-based backdoor for Linux that they're calling Blake. Now, PAM is interesting for Linux insofar because pluggable authentication modules. It's essentially what controls access to the system. So, if you're connecting via SH or other tools, the server then often checks with PAM whether or not you have access to the system and, well, how you have access to the system. So, an attacker able to inject their own code into your PAM setup is able to essentially bypass authentication. That's pretty much what this backdoor does. Ultimately, this idea isn't new. There has plenty been written about these PAM-based backdoors. This one apparently has been around for quite a while, like a year or so, and hasn't really been described yet. And antivirus is still not really detecting it. Overall, you really must monitor your authentication system, your PAM configuration alike. Make sure nothing has been altered here. There are some indicators of compromise that are noted in the blog, but it ultimately comes down to locking down and monitoring your authentication configuration. Well, and that's it for today. So, thanks again for listening. Thanks for liking and subscribing to this podcast. And, as always, special thanks for leaving any positive comments and ratings in your favorite podcast platform. Thanks and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich