Podcast Detail

SANS Stormcast Tuesday, October 14th, 2025: ESAFENET Scans; Payroll Priates; MSFT Edge IE Mode

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9654.mp3

Podcast Logo
ESAFENET Scans; Payroll Priates; MSFT Edge IE Mode
00:00

Scans for ESAFENET CDG V5
We do see some increase in scans for the Chinese secure document management system, ESAFENET.
https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364


Investigating targeted “payroll pirate” attacks affecting US universities
Microsoft wrote about how payroll pirates redirect employee paychecks via phishing.
https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/

Attacks against Edge via IE Mode
Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks.
https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/

Podcast Transcript

 Hello and welcome to the Tuesday October 14th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. Nothing too exciting in diaries today. I
 wrote up tag scans that we have seen for eSafeNet CDG.
 That is a document security management system. Appears to
 mostly target the Chinese market. It's Chinese maker of
 the software and their website and such is pretty much
 Chinese only. So I assume that that's where they're focusing
 their marketing effort at. There have been a number of
 different vulnerabilities, including a cross-site
 scripting issue that in particular sort of affect that
 system config endpoint that we do see probed. There have been
 prior vulnerabilities like SQL injection
 vulnerabilities. So a little bit difficult to tell what
 exactly they're trying to exploit here. In particular
 for the requests that I've seen so far, we don't actually
 have to request body. Only some of our honeypots report
 that. And the ones that have been exposed to these scans
 happened to not have reported the request body. Other than
 that, as any of these electronic document security
 management systems or secure document management systems,
 well, don't assume they're secure. I talked about this
 many times before and tried to limit the exposure of any
 documents stored in these systems.
 I think that is a bank account number that is being used to
 deposit a paycheck of that employee that tends to affect
 mostly larger companies that automate these processes via
 HR portals. Okay.
 And once again, it was a tight business. So this address of a
 user has no control over what credentials to use for a
 particular website because otherwise there always is a
 possibility that they will enter their credentials
 whether it's first second or third or fourth factor into
 the wrong website so that's definitely something that you
 should focus on with these type of attacks this is also
 something that of course you can solve with business rules
 where it's not just simply a couple clicks in an hr portal
 to change the account number of for a payroll deposit this
 should be something that's important enough where maybe
 at the very least like some kind of phone call follow-on
 or something like this is needed in order to make the
 change effective and then ahead of tomorrow's patch
 Tuesday comes the announcement from Microsoft to make it more
 difficult in Microsoft Edge to enable the Internet Explorer
 compatibility mode Internet Explorer compatibility mode
 was introduced when Microsoft essentially got rid of
 Internet Explorer and totally basically used Edge which is
 Chromium based as their only browser in the operating
 system in order to support legacy sites that only work
 with Internet Explorer the problem with the Internet
 Explorer compatibility mode is that it does expose the old
 Internet Explorer JavaScript engine and of course that
 engine well has gotten in the years hasn't really gotten any
 more secure in particular from an architecture point of view
 so as a result they're seeing it being abused by websites to
 launch attacks against users so what they did now is they
 made essentially more difficult to invoke in an
 Explorer mode there is no more simple button in the toolbar
 and such instead you have to go into settings and then
 specifically enable in Explorer compatibility mode on
 a site-by-site basis enterprise users enterprise
 users still have all the tools they are used to in order to
 sort of centrally manage the Internet Explorer mode but in
 particular for individual users it will essentially be
 more difficult and probably also it at this point is less
 and less necessary to actually have in the Explorer mode I
 don't use Edge myself and I don't think I ever sort of
 missed it at this point but it's often sort of these
 internal enterprise applications or such that are
 very difficult to upgrade and that may still require that
 mode Well, that's it for today. Thanks for listening.
 Thanks for liking. Thanks for subscribing And as always talk
 to you again tomorrow. Bye