Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Friday, November 7th, 2025: PowerShell Log Correlation; RondoBox Disected; Google Chrome and Cisco Patches
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9690.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary]
Windows, with PowerShell, has a great scripting platform to match common Linux/Unix command line utilities.
https://isc.sans.edu/diary/Binary%20Breadcrumbs%3A%20Correlating%20Malware%20Samples%20with%20Honeypot%20Logs%20Using%20PowerShell%20%5BGuest%20Diary%5D/32454
RondoDox v2 Increases Exploits
The RondoDox (or RondoWorm) added a substantial amount of new exploits to its repertoire.
https://beelzebub.ai/blog/rondo-dox-v2/
Google Chrome Updates
Google released an update for Google Chrome addressing five vulnerabilities.
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html
Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities
Cisco patched two critical vulnerabilities in its Contact Center Express software. These vulnerabilities may lead to a full system compromise.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Network Monitoring and Threat Detection In-Depth | Online | Central European Time | Dec 15th - Dec 20th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
Podcast Transcript
Hello and welcome to the Friday, November 7th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity. Today's diary comes from one of our undergrad yet interns, David Hammond. David wrote about something that I always like to talk about and sort of emphasize in this internship, and that's scripting. I always think there are two kinds of security professionals, those that know how to script and those that will be replaced by a script. But what I often find is that students who are more exposed to the Windows world, not so much to the Unix world, often aren't exposed to scripting the same way how Unix users are often more sort of naturally exposed to it. However, we do, of course, have some great scripting tools on Windows. They're just a little bit more hidden behind that GUI. And one of those tools is PowerShell. So what David is looking at here, how do things that you commonly do on Linux with command line tools like JQ and such to parse, for example, JSON files, how do you similar things on Windows? So great if you are more a Windows user and are looking for an in to some of these scripting tools. I often also think that on the Windows side, there aren't a lot of great tutorials to do some of this common scripting, as you often find it much easier on the Linux slash Unix side. And earlier this week, I talked about Botnet that we observed that did exploit a relatively new ex-wiki vulnerability. Well, one of the odd things here was like the email address that was left as part of a user agent and such. Well, it turns out this was what's also known as Rondo Bot or Rondo Docs. I mean, I have a great write up here from Mario Candela. Mario runs his own honeypot called Belzeboop. I think that's how you would pronounce it. And this honeypot captured samples, including the second stage that I didn't discuss in my blog. And yes, this particular bot just recently increased the number of exploits they're using in order to attack systems. That's why it became more verbose. And with that also triggered more alerts in our honeypot networks, which then led to the diary. So great work here by Mario. And the great sort of additional analysis that was missing from my earlier blog post this week. And we got an update for Google Chrome that you probably want to make sure you update before the weekend. It fixes five different vulnerabilities. None of them are exploited yet. Three of the vulnerabilities are rated high. One that I'm particularly concerned about here is affecting WebGPU. That's sort of one of those lower level components. So having some remote code execution here may certainly pose a problem for Google Chrome. Maybe in particular then, of course, with some kind of sandbox escape to actually break out of the Google Chrome sandbox. Again, nothing being exploited yet. But the reason I think you should patch this relatively quickly is just because similar vulnerabilities have been exploited in the past. So there are probably some templates around that attackers can use to develop exploits relatively quickly. And talking about patches that you probably should take care of before the weekend, the more tricky one here affects the Cisco Unified Contact Center Express, also known as Unified CCX. There are two vulnerabilities being addressed in this update. The first one is an unauthenticated arbitrary file upload vulnerability. But as so often, that file upload vulnerability then quickly escalates to full remote code execution. The second one allows the remote invocation of Java functions, also without authentication. As Cisco points out in the advisory, these are two independent vulnerabilities. So it's not that you first use the authentication bypass vulnerability to then upload a file or vice versa. These are completely independent. So each one of these vulnerabilities can lead to a complete system compromise, including gaining root access on an infected device. So definitely update now, because particularly the exploit for this. But I haven't seen one yet. It's probably already out there, because this should be relatively straightforward to exploit now. Well, and before I give you anything else to patch on Friday, I better stop. Thanks for listening. Thanks for subscribing, liking this show. And as always, talk to you again on Monday. Bye.
Does your organization have an InfoSec opening? Post a job listing with the SANS Internet Storm Center
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 