SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements

November 02, 2025

SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements

Episode Transcript

Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287
We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287
https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287/32440
BADCANDY Webshell Implant Deployed via
The Australian Signals Directorate warns that they still see Cisco IOS XE devices not patches for CVE-2023-20198. A threat actor is now using this vulnerability to deploy the BADCANDY implant for persistent access
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy
Improvements to Open VSX Security
In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident.
https://blogs.eclipse.org/post/mika l-barbero/open-vsx-security-update-october-2025

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Monday, November 3rd 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu undergraduate certificate program in cybersecurity fundamentals. It was just about a week ago that we got from Microsoft the emergency update for the Windows Server Update service. This update fixed an already at the time exploited vulnerability that can lead to remote code execution. Well, since the vulnerability now has been made public and also additional details about the vulnerability have been made public. We have seen in our sensors an increase in scans for port 8530 and 8531, which are the two ports that are associated with WSUS. The first one is just plain TCP. The second one is then also TCP, but with TLS for the 8530 scan rates went up from about 800 or so a day all the way up to in excess of 3500 and similar numbers for 8531. A little bit lower here, only about 3000 accounts here per day for 8531, which is probably just because a little bit slower to scan and TLS if you actually want to go through the TLS handshake. So assume that if you haven't exposed the WSUS server, it has been found by now. Now many of these scans are being done by researchers. I saw Shadow Server, for example, in our data doing some of these scans, Shadow Server will attempt to notify entities of exposed servers. So please take those notifications serious. And the Australian signals directorate has published an advisory noting that an implant that they're calling bad candy is being deployed to Cisco iOS XE devices that are still vulnerable to CVE 2023-2198. So this is a 2023 vulnerability. Apparently it's still not patched. This particular vulnerability has also priorly been exploited by, for example, Vault Typhoon that took over a number of telecom providers. So definitely, you know, make sure your Cisco devices are up to date and having them not patched now for two years. Well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well, then by all means, consider them compromise. Again, this vulnerability has been used by a number of high profile threat actors. And of course, details about the vulnerability and exploitation of it have been disseminated ever since. The last few weeks, we had a couple of incidents where malicious extensions were published to the OpenVSX store. This is the extension store where you can download extensions for Visual Studio Code derived editors, like some of them that are popular, for example, sort of in the AI coding community. The problem with these extensions was that they included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines and instead of actual malicious code. There was later also a variant that used this for dependencies in order to hide exactly what dependencies are being loaded in code. But the reason this particular worm was also referred to as class worm was that part of it was invisible. Well, OpenVSX now responded to this incident and did share a couple of things that they're going to do to actually improve their registry. One is pretty straightforward, reduce the token lifetime limits. That's of course, obviously a little bit controversial because now how short you have to make them to actually matter, then also make it easier to revoke tokens. That is important if the developer realizes tokens were stolen, that they can easier cut off access to those tokens. And I think probably most importantly, here's the third point, that they will improve the security scanning at publication. In particular, with these Unicode exploits and such, it should be rather straightforward to identify them automatically. So that would be a nice touch here if some of these extensions would be scanned before they actually end up in the extension store. Yeah, and then they just ask for overall collaboration here in order to basically better identify these malicious extensions. They also state that the actual scale of the compromise may be somewhat exaggerated. That's of course always a big question of how many people actually not just downloaded these extensions, but actually used those extensions and were then affected by the malicious code embedded. That's of course always subject to debate, but ultimately really nice that they're reacting to it and that they're suggesting some reasonable ways to improve the security of these extensions. Well, and this is it for today. So thanks for listening. Thanks for liking and recommending this podcast and talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich