Hello and welcome to the Monday, June 30th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today's episode is brought to
you by the Master's Degree Program in Information
Security Engineering with SANS.edu and it is recorded in
Stockheim, Germany. I want to start today with a little note
about Scattered Spider. This is not news by any means.
Scattered Spider has been around for a while now. It,
however, keeps being around, keeps hitting the news because
they use a technique that has historically been uniquely
successful and that's social engineering. If you remember
groups like Lapsus, for example, which as it later
turned out, were in no way sort of not super
sophisticated nation-state actors, really just teenagers
that basically conducted attacks and were able to
breach fairly well defended organizations. Same with
Scattered Spider, even though I haven't really seen any sort
of real attribution what Scattered Spider may sort of
be all about. But what I want to point out here is a couple
things. First of all, Mandiant came up with a nice document
to defend against Scattered Spider, in particular focus on
some of the identity aspects here. So better monitoring of
your identity endpoints to maybe detect some takeovers
here. Also, when you're thinking about user education,
also consider that when reporting attack attempts is
an important part here. It's really not realistic to
attempt to train every employee in a large company to
detect these attacks, but some may detect them. And by
reporting them, you may then be able to detect successful
attempts as well. So keep that in mind. And also, like if
you're rethinking some things like, for example, password
resets, particular two-factor authentication resets. That's
sort of often not very well done part here. Try maybe to
rely less on anonymous help desks, but maybe get more
colleagues, direct supervisors involved in that, which
usually works better. They usually have a better way to
identifying and authenticating a particular user they work
with on a day-to-day basis. So back in March, AMI published
vulnerability in its BIOS. Well, it's actually in the
Redfish part. If you're not familiar with Redfish, it's
one of the commonly used web -based remote access
management tools that sort of allow you to access servers
out of band and do things like further upgrades, power cycle,
and the like with these servers. This vulnerability
was back then, back in March, also written up by Eclipsium,
the company that originally found the vulnerability. And
back then, really, there was pretty much an exploit
available for this very simple authentication bypass. It just
requires adding the right additional header to the
request, and you would be able to basically execute arbitrary
commands without having to authenticate. Well, Sisa now
added this vulnerability to its already exploited
vulnerabilities list. So it's now officially being exploited
in the wild, something you definitely must address now. I
know it's not always easy to update BIOSes. And well, given
that it was released in March, that gave you now about three,
four months, which still is a little bit a tight deadline
for a vulnerability like this. So definitely try to
accelerate this and try to get this vulnerability. And
talking about BIOS updates and little things that take some
time and preparation, Microsoft is alerting
everybody to get ready for the expiration of the original
Secure Boot certificates next year. So just a year from now,
June 2026, the certificates will expire. Turns out it's 15
years that Microsoft originally introduced Secure
Boot. Now Microsoft's Windows Update will give you new
certificates. However, there is a little complication here
in that it only really works for you if your system is
sending diagnostic data back to Microsoft. Since these are
really part of the BIOS, they are somewhat specific to the
machine you're running. And Microsoft is collecting data
as to what machines they need to push out the certificates
for and how to push them out. So definitely make sure that
you're allowing that data to be sent back. If not, well,
refer to Microsoft's additional analysis. Also, if
it's a more enterprise managed system, Microsoft did publish
a blog post with various scenarios and how to make sure
that you will get these updates over the next year.
There's also the complication if you're still running
Windows 10. The update will only be available until
October this year. So definitely either make sure
you get it updated before then or update to Windows 10.
Windows 11, which is probably the right option anyway, but
you may run Windows 10 for some specific software
compatibility issue.
Microsoft also published a fairly extensive blog post
about its resiliency initiative that basically
outlines future changes Microsoft is going to make to
Windows in order to make it more resilient and more
secure. Microsoft is going to make sure one of the big
somewhat controversial items here that arise arose from the
Cloudflare incident is that Microsoft will make it more
difficult or impossible for software to actually live in
the kernel. In particular, in particular, security software,
of course, has often taken advantage from the additional
protection that the kernel provides or running with
kernel privileges and also sort of the access to any
metrics and such that this provides. But that may no
longer be possible. So we'll have to see how this will all
work out. But interesting blog post to read to get a little
bit of insight into what Microsoft is up to. Well, and
this is it for today. Now, today or this week rather is
again sort of a travel week for me. Also, there is a
holiday July 4th on Friday. So my current plan is to only
release one more podcast this week, and that would be for
Thursday, July 3rd. So no podcast Tuesday, Wednesday,
but Thursday there will be one. And then, of course, no
podcast on July 4th. Thanks for listening and talk to you
again then on July 3rd on Thursday. See you again then.
