SANS Stormcast Monday, July 7th, 2025: interesting usernames; More sudo issues; CitrixBleed2 PoC; Short Lived Certs

July 06, 2025

Episode Transcript

Interesting ssh/telnet usernames
Some interesting usernames observed in our honeypots
https://isc.sans.edu/diary/A%20few%20interesting%20and%20notable%20ssh%20telnet%20usernames/32080
More sudo trouble
The host option in Sudo can be exploited to execute commands on unauthorized hosts.
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
CitrixBleed2 PoC Posted (CVE-2025-5777)
WatchTwer published additional details about the recently patched CitrixBleed vulnerability, including a PoC exploit.
https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
Instagram Using Six Day Certificates
Instagram changes their TLS certificates daily and they use certificates that are just about to expire in a week.
https://hereket.com/posts/instagram-single-day-certificates/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, July 7th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and this episode brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity is recorded in Jacksonville, Florida. Well, to start out with a couple of interesting ssh/telnet usernames that I observed the last couple of days showing up in our honeypots. First of all, well, not a chance this is real. That's the username I suspect this username is selected in order to actually fingerprint honeypots. Honeypots that we are using based on Cowrie will occasionally, sort of randomly, allow any credential to work. This prevents people from basically just using some simple credentials. And also, well, eventually we do want actually attackers to log in to see what they're up to. And then, of course, attackers can use that against us by using these obviously non-existing usernames and password combinations. And if they work, well, there's a good chance that they are connected to a honeypot. Other notable usernames that I've seen is one SCADA admin that apparently is related to the Rapid SCADA systems. On Mastodon, user John Timmis also confirmed that pointing to the relevant documentation at Rapid SCADA. I originally wasn't able to find that particular username. But there are also others, of course, like admin12345 and such that are being used by Rapid SCADA. Now, the next set of usernames is GPU001, GPU002. Not 100% sure what they are associated with. But, of course, GPU, well, that's a hot thing these days with AI training and the like. GPU001 and 002, that particular format, appears to be often used as a host name in some systems hosting GPUs. Not necessarily a username as far as I can tell. But if anybody has any details there, please let me know. And we have a second issue with Sudo that I forgot to cover on Thursday last week. This was also discovered by Rich Merch from Stratascale. And it also is related to a not very frequently used option of Sudo. This option is the host option. It allows a user to specify a different host. And in the Sudo configuration, you can basically define a certain host. The intent really was for the option to be used with the list option. So, you can basically list rules based on the host that you would like to use. Well, it turns out it also works for the edit option. Which, of course, then allows for a relatively trivial privilege escalation of vulnerability. Again, update Sudo. These vulnerabilities have been around for quite a while. I believe this one was 13 years, if I remember correctly. And most Linux distributions are vulnerable and have released updated packages. And we do now have a detailed explanation and proof of concept exploit for the Citrix Bleed 2 vulnerability that was patched about two weeks ago. WatchTowr has a great write -up on this. I won't go into all the little details here. Just quickly, how do you detect a possible attack? It's actually the login page that is vulnerable here. And how the login parameter is being parsed. If you just send a post request to the authentication endpoint with short content with the word just login. Important is the word login. And that you don't have an equal sign here. And that triggers the vulnerability. The result that you get back will be random memory content in the initial value field here of the response. So if you're seeing some random characters in this particular field, that will tell you that you are vulnerable. And I mentioned how Let's Encrypt is now starting to provide very short -lived certificates. Down to six days for the lifetime certificate. This is optional, but opens up some new possibilities like getting certificates for IP addresses. Well, it looks like Instagram is actually starting to experiment with this. And kind of showing how to operationalize some of these super short-lived certificates. So the Instagram certificates now are only valid for seven days. They're not using Let's Encrypt. I believe they're using Google as their server authority. But they're actually rotating these certificates daily. So this is basically how you avoid any possible issues with missing like an update. You don't want to do it too close to the expiration date. But they basically get a new certificate each day. And each certificate will then be valid for seven days. Well, and this is it for today. So thanks again for listening and talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show