SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking

August 20, 2025

Episode Transcript

Airtel Router Scans and Mislabeled Usernames
A quick summary of some odd usernames that show up in our honeypot logs
https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216
Apple Patches 0-Day CVE-2025-43300
Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO.
https://support.apple.com/en-us/124925
Microsoft Copilot Audit Logs
A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file
https://pistachioapp.com/blog/copilot-broke-your-audit-log
Password Managers Susceptible to Clickjacking
Many password managers are susceptible to clickjacking, and only few have fixed the problem so far
https://marektoth.com/blog/dom-based-extension-clickjacking/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, August 21st, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Baltimore, Maryland. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Industrial Control System Security. In diaries today, I wrote a little bit about some of the odd usernames and passwords that we often see in our SSH and Telnet data that doesn't necessarily link to a direct attack, but maybe some of you have ideas what's behind that. The username that prompted this was Airtel@123. Quick, Google shows that, well, this does link to a company called Airtel that disputes a router. However, this password is not the SH and Telnet password. Way too complex for that. That's actually just admin admin for this particular router. But this password is used for the Wi-Fi network by default. So that's kind of odd why they're using that. I don't know. Maybe some users just get lazy and when they have to change the admin password, they're just changing it to the WPA passphrase. That could be a motivation behind it. Also, another username-password combo that I thought was kind of interesting, not root admin, but instead they replaced the first letter with the dollar simple. So dollar OOT and then dollar D-M-I-N. Again, if anybody has any idea why this may happen, whether by accident or intentionally, please let me know. Apple today fixed a single vulnerability in iOS, iPadOS and macOS, going back to versions for macOS. The reason for this quick patch for one individual vulnerability is that this vulnerability in Image.io is already being exploited. It's a memory corruption vulnerability leading with that to arbitrary code execution. So definitely a patch that you do want to apply quickly, even though at this point, of course, it has only been cited against, well, very targeted attack victims. And then we got an interesting issue with Microsoft Copilot that was nicely documented by Zach Korman. And with that also a little bit controversy how Microsoft dealt with this particular problem. The core issue here are audit logs. You expect your audit logs to record if a particular user is accessing some specific information. Well, this is not the case if that information came from Copilot. Copilot indexes basically various files on your system. So basically Copilot accesses those files. A user can now ask questions about these files. And essentially the Copilot system is returning very specific answers about the content of these files. But there is no access log that will actually record that a particular user did retrieve that data. And that's sort of a little bit the problem of this issue and the controversy around it that Microsoft didn't necessarily acknowledge this as a bug properly. But just from the technical point of view here, this is certainly something to be aware of. This has been some ongoing issue where really access control is sort of getting destroyed by AI agents. Any data that the AI agent is being trained on is accessible to users that have access to the AI agent. And as a result, well, any sort of more fine-grained access control that you may have had on a per-user basis on the original data is kind of lost. And with that, of course, also the user's perspective audit capabilities. And Marek Toth, who presented about this topic at DEF CON, did update a blog post about click-jacking vulnerabilities in password managers. The problem with click-jacking password managers arises from password managers essentially inserting themselves into web pages. And in doing so, they're susceptible to many of the attacks that web applications and HTML and the DOM are susceptible to, including click-jacking. And turns out that click-jacking is, well, quite widespread among the different password managers. Marek tested a number of different password managers, pretty much all the well-known ones. Sadly, many of them have not been fixed at this point. NordPass, ProtonPass, RoboForm, Dashlane, Keeper, those are the ones that are fixed. Bitwarden, 1Password, iCloud passwords, nPass, LastPass, LogMe ones are not yet fixed and are vulnerable to some extent. Now, for some of them, for example, 1Password, credit card numbers are not affected, but passwords are. And that's probably almost more important than credit card numbers. So watch out for updates from various password managers and, well, apply them because as so often with click-jacking, the exploit is actually pretty straightforward. Well, and that's it for today. So thanks again for listening. Thanks for subscribing, liking, commenting, and recommending this podcast and talk to you again tomorrow. Bye. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show