SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues

August 19, 2025

Episode Transcript

Increased Elasticsearch Recognizance Scans
Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard.
https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212
Microsoft Patch Tuesday Issues
Microsoft noted some issues deploying the most recent patches with WSUS. There are also issues with certain SSDs if larger files are transferred.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#3635msgdesc
https://www.tomshardware.com/pc-components/ssds/latest-windows-11-security-patch-might-be-breaking-ssds-under-heavy-workloads-users-report-disappearing-drives-following-file-transfers-including-some-that-cannot-be-recovered-after-a-reboot
SAP Vulnerabilities Exploited CVE-2025-31324, CVE-2025-42999
Details explaining how to take advantage of two SAP vulnerabilities were made public
https://onapsis.com/blog/new-exploit-for-cve-2025-31324/

News Tech News

See full episode transcriptTranscript is autogenerated by AI

Hello and welcome to the Wednesday, August 20th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu undergraduate certificate program in Applied Cybersecurity. In diaries today, I wrote up some changes that we see in scans for Elasticsearch this last couple days. There's a particular endpoint, underscore cluster slash settings, which we haven't really been seeing hit a lot, all of a sudden getting a lot of attention from a couple of IP addresses. It's certainly not sort of a scan where, you know, everybody's scanning for it. It is a little bit more targeted in respect to where the scans are coming from. There has been lately, last couple days, a lot of talk about a possible Elasticsearch EDR 0-Day. I don't think this is directly related. Could be possibly people getting interested in Elasticsearch, trying to build possible target lists. Elastic has also disputed some of the findings in this blog post talking about the particular 0-Day. So I definitely wouldn't really take that 0-Day claim to serious here in this case. Also, what they really claimed was somewhat more limited. Anyway, in my opinion, pay attention to Elasticsearch. Make sure not directly exposing it to the world. That's probably sort of my best advice right now that I can give you. Yes, a lot of people do like to expose Elasticsearch, in particular for some single page applications where JavaScripts have been used to directly access Elasticsearch. Personally, I'm not a big fan of that. I'm sort of a little bit old-fashioned, as I state in the diary, that I really don't think you should sort of expose your back-end databases to the user, in particular with some of the constraints that you have with Elastic and similar databases when it comes to access control and authentication. Well, it's about a week after Patch Tuesday, so good opportunity to look a little bit back and see what went wrong this time. Microsoft always publishes its list of issues that they sort of discovered after the patch was released. Nothing really sort of what I consider major here. There was one particular problem with installing the updates from WSUS, and well, this particular case, the update just failed. Also, similar issue with shared drives. Microsoft has fixed this particular issue, so that shouldn't really be a problem anymore. However, there was sort of a little bit of a major problem here, depending on, well, what SSD you are running. SSDs that are using a chipset from Phison, and I believe they distinguished themselves by not using actually SD RAM for cache for the SSD drive. They're used in a variety of different manufacturers' drives. If you're transferring more than 50 gigabytes or a very large file, the drive may disappear. Now, typically, you know, you reboot, the drive comes back, but that apparently doesn't always fix the problem here. So it may lead to a more permanent data corruption. As far as I've seen, there is no real fix for this. I heard that Kingston did release a firmware update for its drives, and Seagate, I've seen in some forum, also releasing an update. But at least for Kingston, on their update page, it looks like everything they had there was older. If you're running into this issue, that's probably your best bet. Look at your SSD manufacturer and see if they came out with updated firmware. And other than that, a reboot is probably the quickest sort of thing you can do to try to recover. And hopefully it will work for you. Again, you need to transmit a file with 50 gigabytes in order to trigger this issue, which is not a very common occurrence. And for all the SAP users out here, well, it's a time to verify that you have the most recent patches applied. On Friday, VX Underground did release an exploit that chained two recent vulnerabilities to essentially lead to a complete system compromise. Now, one of these vulnerabilities already had a CVSS score of 10. I believe this was just arbitrary file upload vulnerability, but they chained it with a deserialization. And then you can also use a vulnerability in order to execute arbitrary code. The exploit has been around, has been used for a while. It's now public. Before that was only used sort of in more targeted attacks. So definitely make sure your system is up to date and consider any unpatched, exposed system as compromised. And definitely double, triple and whatever you can do, check, make sure that there is not already an exploit running on those systems or some backdoor. Because like I said, the exploit has been used for a while. It has just now been made public. Well, that is it for today. So thanks for listening. And thanks for subscribing, for liking, for leaving good comments and talk to you again tomorrow. Bye. . . . . Thank you.

Digital Dispatch Podcast Podcast Artwork Image

SANS Daily Stormcast

Johannes Ullrich

Contact Show