Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, October 14th, 2025: ESAFENET Scans; Payroll Priates; MSFT Edge IE Mode
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9654.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Scans for ESAFENET CDG V5
We do see some increase in scans for the Chinese secure document management system, ESAFENET.
https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364
Investigating targeted “payroll pirate” attacks affecting US universities
Microsoft wrote about how payroll pirates redirect employee paychecks via phishing.
https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
Attacks against Edge via IE Mode
Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks.
https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday October 14th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity. Nothing too exciting in diaries today. I wrote up tag scans that we have seen for eSafeNet CDG. That is a document security management system. Appears to mostly target the Chinese market. It's Chinese maker of the software and their website and such is pretty much Chinese only. So I assume that that's where they're focusing their marketing effort at. There have been a number of different vulnerabilities, including a cross-site scripting issue that in particular sort of affect that system config endpoint that we do see probed. There have been prior vulnerabilities like SQL injection vulnerabilities. So a little bit difficult to tell what exactly they're trying to exploit here. In particular for the requests that I've seen so far, we don't actually have to request body. Only some of our honeypots report that. And the ones that have been exposed to these scans happened to not have reported the request body. Other than that, as any of these electronic document security management systems or secure document management systems, well, don't assume they're secure. I talked about this many times before and tried to limit the exposure of any documents stored in these systems. I think that is a bank account number that is being used to deposit a paycheck of that employee that tends to affect mostly larger companies that automate these processes via HR portals. Okay. And once again, it was a tight business. So this address of a user has no control over what credentials to use for a particular website because otherwise there always is a possibility that they will enter their credentials whether it's first second or third or fourth factor into the wrong website so that's definitely something that you should focus on with these type of attacks this is also something that of course you can solve with business rules where it's not just simply a couple clicks in an hr portal to change the account number of for a payroll deposit this should be something that's important enough where maybe at the very least like some kind of phone call follow-on or something like this is needed in order to make the change effective and then ahead of tomorrow's patch Tuesday comes the announcement from Microsoft to make it more difficult in Microsoft Edge to enable the Internet Explorer compatibility mode Internet Explorer compatibility mode was introduced when Microsoft essentially got rid of Internet Explorer and totally basically used Edge which is Chromium based as their only browser in the operating system in order to support legacy sites that only work with Internet Explorer the problem with the Internet Explorer compatibility mode is that it does expose the old Internet Explorer JavaScript engine and of course that engine well has gotten in the years hasn't really gotten any more secure in particular from an architecture point of view so as a result they're seeing it being abused by websites to launch attacks against users so what they did now is they made essentially more difficult to invoke in an Explorer mode there is no more simple button in the toolbar and such instead you have to go into settings and then specifically enable in Explorer compatibility mode on a site-by-site basis enterprise users enterprise users still have all the tools they are used to in order to sort of centrally manage the Internet Explorer mode but in particular for individual users it will essentially be more difficult and probably also it at this point is less and less necessary to actually have in the Explorer mode I don't use Edge myself and I don't think I ever sort of missed it at this point but it's often sort of these internal enterprise applications or such that are very difficult to upgrade and that may still require that mode Well, that's it for today. Thanks for listening. Thanks for liking. Thanks for subscribing And as always talk to you again tomorrow. Bye