SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches

August 06, 2025

SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches

Episode Transcript

Do Sextortion Scams Still Work in 2025?
Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work.
https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178
Akira Ransomware Group s use of Drivers
Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation
https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/
Adobe Patches Critical Experience Manager Vulnerability
Adobe released emergency patches for a vulnerability in Adobe Experience Manager after a PoC exploit was made public.
https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html
Trend Micro Apex One Vulnerability
Trend Micro released an emergency patch for an actively exploited pre-authentication remote code execution vulnerability in the Apex One management console.
https://success.trendmicro.com/en-US/solution/KA-0020652

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Thursday, August 7th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Sextortion scams, well, they were a big thing like a few years ago and have died down a little bit. But ever so often there's like a flare-up of them. Like the last couple weeks I received about a dozen or so emails with this cooperation offer subject in line. Jan now took a quick look to figure out whether or not any of these scams are still successful. He looked at a couple dozen different email addresses and the associated cryptocurrency addresses that were attached to those emails. And, well, sadly a couple of them did get deposits in line with what they asked for as part of these extortion scams. This is really sort of a little bit of an awareness issue. But then also remember that even though the scam itself is old, not everybody may actually have received a copy. And then depending on current circumstances, people may or may not be more vulnerable to this. Just read on social media from someone who is actually very cyber aware and such. And that they fell for like one of those UPS scams lately. And entered their credit card number trying to basically have their package redelivered. And they were actually just waiting for a package that all depends on the circumstances, whether or not someone falls for these. These style of measures, of course, are also relatively easy to filter automatically. Which is probably why I haven't really seen many of them. Because my spam filters and such will typically take care of them. And then we got a couple additional pieces to the puzzle when it comes to the somewhat mysterious SonicWall compromise. That were then used by the Akira ransomware group to gain access to corporate networks. Another tool they're apparently using are, well, the good old bring your own vulnerable driver attack. Where they are installing drivers that are legitimate on the system. So they're usually allowed by EDR and the like. To then escalate privileges and disable EDR tools. This is a very common trick. The two drivers mentioned here. One of them, sort of a CPU tuning driver. Are legitimate, again, legitimate tools. But not very commonly used. So the presence of those drivers, in particular, sort of in business, corporate, PC environments. Should certainly raise a flag and be investigated. There is additional, in the case of compromise and such, in the guidepoint security block. Where they're talking about the parts of the attack that they observed. And if you are using Adobe's Experience Manager. It's time to patch. And this is sort of an out-of -order patch. Of course, we usually get Adobe patches. At the same time, Microsoft releases patches. So next Tuesday, I guess, we'll get some patches from Adobe. But these were released this week for Experience Manager. Because there are two vulnerabilities that are already, at least, well, if not being exploited. There's a proof of concept publicly available. So exploitation is probably, at least in a targeted way, already happening. Adobe also released an advisory for these particular vulnerabilities. And again, patches are available. And talking about critical and emergency patches. Trend Micro released a patch for its Apex One on -premise management console. This patch fixes command injection vulnerability. It does allow remote code execution pre-authorization. The reason they essentially rushed out this patch is that the vulnerability is already being exploited in the wild. One word of caution here that they call this sort of a fix tool. It's not the final patch. It does limit the functionality of your Apex One console. You're no longer able to use the remote install agent to deploy agents with Trend Micro Apex One after you apply this fix. The final patch should be released mid -August. So in a week or so, I guess. Well, and that's it for today. So thanks for listening. Thanks for liking, subscribing. And special thanks for leaving good comments for this podcast in your favorite podcast platform. And talk to you again tomorrow. Bye.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich