Hello and welcome to the Tuesday, September 23rd, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from Las
Vegas, Nevada. This episode is brought to you by the SANS.edu
Graduate Certificate Program in Cybersecurity Leadership.
CISA, the Cybersecurity and Infrastructure Security
Agency, has published a report with details regarding two
organizations that were recently compromised via a
vulnerability in Ivanti's Endpoint Manager, Mobile, or
Ivanti-EPMM. The vulnerabilities were exploited
in order to install a backdoor on these systems. That was
essentially a persistent mechanism being used by these
attackers. And the end effect was that the attacker was able
to execute arbitrary commands on affected systems. There's
of course always a chance that they hit additional systems
that didn't report samples to CISA. That's very likely.
Also, CISA did publish a number of indicators of
compromise, like URLs, for example, hit in order to take
advantage of the vulnerability. And also
additional analysis of the backdoor that was found on
these systems. The vulnerabilities that were
exploited here were patched in May. So something you should
have probably taken care of by now. But if you haven't, well,
this is probably your very last chance. And if you find
unpatched systems, absolutely make sure they have not
already been compromised. LastPass is reporting that
they have seen a large number of fake GitHub repositories
that are distributing malware. And now the reason LastPass
sort of came across them is that this particular wave of
fake GitHub repositories is also impersonating LastPass,
in addition to a number of other software vendors. In the
list, I noticed 1Password, for example. Also, DaVinci Resolve
was being impersonated. Many of these GitHub repositories
claim that they have premium or paid versions of that
product for free to download. And they're in particular
targeting MacBooks. Now what the user actually ends up with
when they're installing this particular malware is, well,
no surprise here really, info stealers that are then
exfiltrating secrets from affected systems. As with many
of these campaigns, of course, the name of these GitHub
repositories is constantly changing as some of them are
being taken down. So this is just one of those things you
have to be careful with. And yeah, don't expect legitimate
software that usually costs money to be available via
GitHub for free. And cybersecurity company Yarix
did publish an analysis of a recent intrusion that used a
little bit unusual entry vector, and that's the Oracle
Database Server Job Scheduler. Now I say unusual because we
don't hear much about it. But lately, there have been
various reports about attacks against this Oracle Database
Server Job Scheduler increasing. I can't verify
this increase myself. But it seems likely that if a service
like this ends up being exposed to the internet, that
people will exploit it if that's successful. And
apparently, it has been successful in a couple
different cases. The Yarix report goes over the various
commands that are being executed via the scheduler in
order to then again, get persistent access to the
exploited system. Also, what particular malware is being
used here, and what accounts for example, are being created
to maintain the access to this system. Something like this
scheduler should probably, again, not be exposed to the
internet. Well, I don't actually think that an Oracle
Database should be exposed to the internet directly. Well,
and this is it for today. Thanks for listening. Thanks
for liking and subscribing to this podcast. And as always,
special thanks to anybody recommending this podcast to
their friends. That's it for today. Thanks and talk to you
again tomorrow. Bye. Bye. Bye. Bye. Bye. Bye. Bye.
