Hello and welcome to the Thursday, August 14th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu Graduate Certificate Program in Purple
Team Operation. Yesterday, we talked about new Microsoft
patches. Well, sadly, all vulnerabilities appear to be
still around, at least around enough for attacks to still
take advantage of them. Xavier came across this little bit
odd Excel spreadsheet. The extension is .xlam, which
usually hints at like a macro file. But macros were not the
problem here. Instead, it just exploited an old 2017
vulnerability, the good old equation editor vulnerability.
So apparently, it's still enough of it around in order
for attackers to still give it a try ever so often. As Xavier
points out, he keeps an old virtual machine around just
for that purpose. I think in most corporate environment. I
hope it's not that easy to find that these old systems
still running. But, well, I have been surprised before.
The payload here is then essentially just triggering a
download of an executable that is being run on the victim's
system. And this executable is an information stealer that
then exfiltrates data via email directly to an
attacker's mail server. Another sort of not super
common technique given that outbound email via random mail
servers is often blocked. So maybe more something going
after home users or the like versus more enterprise users.
And talking about vulnerabilities and
Microsoft's Patch Tuesday, there's one quick add-on here
that I didn't point out yesterday. And that's that the
one already publicly known vulnerability. Well, this was
the vulnerability of the exchange server in hybrid mode
where an attacker with admin access to the exchange server
could attack other parts of the infrastructure, in
particular your domain controller. Apparently, the
root cause here is a directory traversal issue in Kerberos.
And Binaryly published an interesting report about the
XZ Utils backdoor. If you remember, this was March last
year that this backdoor was discovered. It was a very
interesting sort of case about open source security and some
interesting social engineering. Well, luckily,
back then, the backdoor was found pretty quickly. So there
wasn't really any major harm done. At least the harm was
somewhat limited. Well, what Binaryly now found is that
this particular XZ Utils backdoor is still present in
some Docker images that are distributed by the official
Docker Debian account. Debian Linux was the distribution
affected by this backdoor. That's sort of why this
happened. There's some controversy between Binaryly
and the Debian maintainers here, whether or not these
affected images should be removed from the Docker hub.
Well, Binaryly's argument is, well, obviously, there's a
backdoor in these images. And people typically trust images
being distributed by Debian on their official Docker account.
Debian's argument is, well, it's really just a
vulnerability like anything else. The affected images are
not currently supported images. They're really just
maintained sort of for archive purposes. And since this
backdoor is really just a vulnerability, they're not
going to remove them. And as sort of an example, they
pointed out that old versions of Debian that, for example,
are suffering from the heartbleed vulnerability are
also still available for download. Overall, of course,
most vendors or many vendors make old vulnerable images
available for download or software available for
download, not just via Docker hub, but also their official
software distribution websites. Sometimes for
researchers, this is quite useful to be able to find
these old vulnerable software versions. If you try to, for
example, experiment with a particular exploit. On the
other hand, of course, there is sort of this attitude that,
hey, if it comes from Docker, it's official. It must be free
of malware. And the XEUtils, that backdoor certainly, well,
qualifies more as malware than a normal vulnerability, even
though a CVE number was assigned to it. So lesson
learned here. Be careful what you download from Docker Hub.
Make sure you're downloading currently supported versions
of images, not just any image from a trustworthy account.
And of course, there's always the chance that things like
that will end up in images derived from these vulnerable
images. So it's not just that the Debian images are
affected, but any images that use them as their base are
possibly infected as well. And then we do have two critical
vulnerabilities in Fortinet devices. I would rate them
sort of as patch. Now, this first one here is essentially
an authentication bypass vulnerability in FortiWeb.
There are already proof of concept exploits out there. So
assume this being exploited. The second vulnerability, also
published yesterday, is a vulnerability in FortiSIEM. And
it allows for an unauthenticated OS command
injection vulnerability. So both of these critical, both
of these essentially exploit the wild. Like for the first
one, we do have exploit code public. For the second one,
the FortiSIEM vulnerability, Fortinet states as part of the
advisory that they have found exploit code in the wild,
taking advantage of this vulnerability. So definitely
both of them must patch now. Well, and that's it for today.
So thanks for listening and talk to you again tomorrow.
Bye.
