Podcast Detail

SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9580.mp3

previous
next
Podcast Logo
Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking
00:00

Airtel Router Scans and Mislabeled Usernames
A quick summary of some odd usernames that show up in our honeypot logs
https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216

Apple Patches 0-Day CVE-2025-43300
Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerability in ImageIO.
https://support.apple.com/en-us/124925

Microsoft Copilot Audit Logs
A user retrieving data via copilot obscures the fact that the user may have had access to data in a specific file
https://pistachioapp.com/blog/copilot-broke-your-audit-log

Password Managers Susceptible to Clickjacking
Many password managers are susceptible to clickjacking, and only few have fixed the problem so far
https://marektoth.com/blog/dom-based-extension-clickjacking/

Podcast Transcript

 Hello and welcome to the Thursday, August 21st, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Baltimore, Maryland. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. In diaries today, I
 wrote a little bit about some of the odd usernames and
 passwords that we often see in our SSH and Telnet data that
 doesn't necessarily link to a direct attack, but maybe some
 of you have ideas what's behind that. The username that
 prompted this was Airtel@123. Quick, Google shows that,
 well, this does link to a company called Airtel that
 disputes a router. However, this password is not the SH
 and Telnet password. Way too complex for that. That's
 actually just admin admin for this particular router. But
 this password is used for the Wi-Fi network by default. So
 that's kind of odd why they're using that. I don't know.
 Maybe some users just get lazy and when they have to change
 the admin password, they're just changing it to the WPA
 passphrase. That could be a motivation behind it. Also,
 another username-password combo that I thought was kind
 of interesting, not root admin, but instead they
 replaced the first letter with the dollar simple. So dollar
 OOT and then dollar D-M-I-N. Again, if anybody has any idea
 why this may happen, whether by accident or intentionally,
 please let me know. Apple today fixed a single
 vulnerability in iOS, iPadOS and macOS, going back to
 versions for macOS. The reason for this quick patch for one
 individual vulnerability is that this vulnerability in
 Image.io is already being exploited. It's a memory
 corruption vulnerability leading with that to arbitrary
 code execution. So definitely a patch that you do want to
 apply quickly, even though at this point, of course, it has
 only been cited against, well, very targeted attack victims.
 And then we got an interesting issue with Microsoft Copilot
 that was nicely documented by Zach Korman. And with that
 also a little bit controversy how Microsoft dealt with this
 particular problem. The core issue here are audit logs. You
 expect your audit logs to record if a particular user is
 accessing some specific information. Well, this is not
 the case if that information came from Copilot. Copilot
 indexes basically various files on your system. So
 basically Copilot accesses those files. A user can now
 ask questions about these files. And essentially the
 Copilot system is returning very specific answers about
 the content of these files. But there is no access log
 that will actually record that a particular user did retrieve
 that data. And that's sort of a little bit the problem of
 this issue and the controversy around it that Microsoft
 didn't necessarily acknowledge this as a bug properly. But
 just from the technical point of view here, this is
 certainly something to be aware of. This has been some
 ongoing issue where really access control is sort of
 getting destroyed by AI agents. Any data that the AI
 agent is being trained on is accessible to users that have
 access to the AI agent. And as a result, well, any sort of
 more fine-grained access control that you may have had
 on a per-user basis on the original data is kind of lost.
 And with that, of course, also the user's perspective audit
 capabilities.
 And Marek Toth, who presented about this topic at DEF CON,
 did update a blog post about click-jacking vulnerabilities
 in password managers. The problem with click-jacking
 password managers arises from password managers essentially
 inserting themselves into web pages. And in doing so,
 they're susceptible to many of the attacks that web
 applications and HTML and the DOM are susceptible to,
 including click-jacking. And turns out that click-jacking
 is, well, quite widespread among the different password
 managers. Marek tested a number of different password
 managers, pretty much all the well-known ones. Sadly, many
 of them have not been fixed at this point. NordPass,
 ProtonPass, RoboForm, Dashlane, Keeper, those are
 the ones that are fixed. Bitwarden, 1Password, iCloud
 passwords, nPass, LastPass, LogMe ones are not yet fixed
 and are vulnerable to some extent. Now, for some of them,
 for example, 1Password, credit card numbers are not affected,
 but passwords are. And that's probably almost more important
 than credit card numbers. So watch out for updates from
 various password managers and, well, apply them because as so
 often with click-jacking, the exploit is actually pretty
 straightforward. Well, and that's it for today. So thanks
 again for listening. Thanks for subscribing, liking,
 commenting, and recommending this podcast and talk to you
 again tomorrow. Bye.
 Bye.