Hello and welcome to the Monday, October 27th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in Purple
Team Operations. Got two diaries this weekend. And
first one from Guy, Guy being French Canadian, so his first
language is French. He's actually seeing quite a few
phishing emails coming in in French and then identical
emails pretty much coming in in English. This is something
that I've always a little bit wondered about, how much of
the language of these phishing emails is targeted to the
recipients. Of course, in particular in Canada, it's a
little bit hard to tell if a particular person speaks
French doesn't speak French. But interesting that
essentially the same email is being used for French as well
as English. And well, I guess attackers are trying to appeal
them more to speakers of French because they are often
more used. I noticed from Germany as well that the
majority of phishing emails is in English. So whenever there
is one in a person's native language, if that's not
English, that, of course, has a somewhat higher chance of
success. And then we have a second diary this weekend from
Didier. Didier attended recently the Hack.lu
conference. And at the conference, he saw an
interesting presentation from developers of Kyti Struct.
This is a tool that is being used to analyze malware often.
It basically allows you to analyze various binary
formats. Well, they now have a web IDE available that
essentially implements everything in JavaScript. It
allows you, without having to install any specific tool, to
simply just run this Kyti Struct tool. Looks pretty
neat. And I think particularly for someone who is just
occasionally doing some malware analysis, probably a
real nice tool to have. Feels a little bit like CyberChef,
but of course, more with the focus on binary analysis,
while CyberChef is really just sort of for file conversion
and the like. So there is some overlap between these tools.
But for reverse analysis, definitely take a look at Kyti
Struct, the web IDE. And on Friday, I mentioned the new
vulnerability in the Windows Server update service or WSUS.
And this vulnerability is now, first of all, being exploited
in the wild. Huntress published some data about
that. Secondly, Microsoft on Friday did release a patch for
this vulnerability for versions of Windows Server
going back to 2019. So even Windows Server 2019 did get an
update here for this. Microsoft also published an
advisory going with this update with additional details
about this vulnerability. The big takeaway here is, number
one, it's being exploited actively. It does not require
authentication. It does allow for arbitrary code execution
on your update server. And with that, it also then allows
the compromised update server to, of course, push malicious
updates to any client that does pull updates from this
update server. So it's not just affecting this update
server. It's affecting the entire network that is using
this particular update server and trusting this update
server for updates. So that's really the big issue here.
Most of these update servers are hopefully not exposed to
the Internet. But definitely, this is a high priority patch
that you must install today, if at all possible. And then
CSO Online has a good article that summarizes something that
I have been ranting about in the past a few times.
Actually, I think I mentioned it at one of the RSA keynotes.
Couldn't find it anymore. So probably old enough, long
enough ago where Google sort of lost it. But the problem
here is that we see more and more attacks that actually
exploit vulnerabilities in network security devices that,
well, are, as the title of the article says, 90s area flaws.
So very easy, exploitable vulnerabilities that are being
taken advantage of in devices that are supposed to actually
make us more secure. One statistic that I think comes
from MITRE here that's quoted in this article that I think
particularly tells the story is that about a third of
attacks are starting out. So the initial entry point now is
an attack against a network secure device. Only half of
that, like 16%, I think it was, is phishing. And we spent
a lot of effort on preventing and fighting phishing.
Probably still a good thing. And maybe the fight actually
made it that it's no longer of your number one problem. But
really discouraging that these expensive enterprise security
devices are really opening us up to more problems than they
may fix in some cases. Definitely something to pay
attention to. And yes, as always, keep those devices
patched. I think every week we have a new vulnerability here.
The article also lists like some Saturday vulnerabilities
that have been exploited in these devices in the last two
years. Well, and that's it for today. So thanks again for
listening. And thanks for recommending it. Thanks also
to everybody who attended my talk in Augusta on Saturday.
If it will be available online, I'm not sure. I'll
definitely note and link to it. And yeah, it's always good
to run into people that reach out and let me know that
they're listening. Because sitting here in my office and
just talking to the camera and my dog, maybe a cat sitting on
the desk here. Well, we wonder sometimes whether or not
anybody's actually listening. So thanks and talk to you
again tomorrow. Bye.
