Podcast Detail

SANS Stormcast Friday, August 29th, 2025: Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9592.mp3

previous
Podcast Logo
Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch
00:00

Increasing Searches for ZIP Files
Attackers are scanning our honeypots more and more for .zip files. They are looking for backups of credential files and the like left behind by careless administrators and developers.
https://isc.sans.edu/diary/Increasing%20Searches%20for%20ZIP%20Files/32242

FreePBX Vulnerability
An upatched vulnerability in FreePBX is currently being exploited. FreePBX offers mitigation advice and has also just released a “beta” patch.
https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203

Passwordstate Vulnerability
Clickstudios patched an authentication bypass vulnerability in its password manager, Passwordstate. The vulnerability can be used to access the emergency password page.
https://www.clickstudios.com.au/passwordstate-changelog.aspx

Podcast Transcript

 Hello and welcome to the Friday, August 29, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from
 Baltimore, Maryland. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Incident Response. One story that I covered today in a
 diary is an increase in scanning for zip files in our
 web application honeypots. What this means is that the
 attackers are assuming and probably rightfully so that
 administrators are leaving random zip files with backups
 for credential files and the like in their web applications
 document route. And they're trying to essentially brute
 force file names here in order to retrieve those files. File
 names like backup.zip or env .zip are sort of some of the
 common file names that we're seeing there. They're
 constantly adding new file names, probably as they find
 some of these file names also on websites they are
 compromising. This really sort of comes back down to basic
 hygiene, trying to keep your deployment rules under
 control, where you're not just rolling out codes, creating
 files on a live system without the necessary constraints and
 restrictions. As a preventive measure, you may want to take
 a quick look at your web servers and check there are no
 zip files stored anywhere in the document route that aren't
 supposed to be there. If you don't have any zip files,
 which is probably true for a good number of websites, you
 should be able to also configure your web server to
 just not allow serving files with a .zip extension. I
 haven't looked at some of the other similar extensions like
 .gc, maybe .tar, .gc and the like to see if they're also
 increasing, but I would assume they are. And even if they're
 not yet, well, they probably will be soon. So add those
 extensions to the list as well. And FreePBX is warning
 that there is currently an actively exploited
 vulnerability in FreePBX that has not been fully patched at
 this point. The advice is to restrict access to the admin
 interface of FreePBX, probably a good idea anyway. The
 particular vulnerability appears to be in the endpoint
 module. If you don't have the endpoint module installed,
 you're not believed to be vulnerable at this particular
 point. And version 16 as well as 17 are affected. Versions
 before 16 are still being investigated according to
 FreePBX. So they may be vulnerable, but at this point
 it hasn't been confirmed. Earlier today, there was also
 an announcement that FreePBX released a preliminary patch
 for this particular vulnerability. But it states
 that this updated module was released for testing. It
 hasn't gone yet through the normal QA. So it's one of
 those, well, at your own risk kind of patches that you may
 or may not want to risk deploying. The best option
 probably at this point is just use firewall rules, restrict
 access to the admin interface or anything within FreePBX as
 much as possible. And then apply, of course, the patch,
 the final patch as soon as it's being released. I'll link
 to the advisory by FreePBX, which also includes additional
 details about how to implement certain workarounds. We're
 also seeing some scans for FreePBX starting today for
 essentially sort of some basic URLs associated with FreePBX. I
 don't believe the URLs being requested here are
 specifically associated with the vulnerability. However,
 they may be related to attackers just either building
 target lists or doing some preliminary scans before they
 are sending the exploit to make sure they're not hitting
 a honeypot, but actually only vulnerable systems. And
 ClickStudio, the company behind the enterprise password
 management tool, PasswordState, did advise its
 users to immediately update their installation of
 PasswordState to fix a critical vulnerability that
 could lead to access to the emergency password page in
 your application. There's essentially an authentication
 bypass that allows an attacker with a sufficiently crafty URL
 to access this page. This new update also fixes a
 clickjacking vulnerability. I did talk about this, I think
 it was earlier this week or last week, that there were a
 number of password save applications that were found
 to be vulnerable to clickjacking. So this is being
 addressed in this update as well. Well, and this is it for
 today. Thanks for listening. Thanks for liking and thanks
 for subscribing to this podcast. Also, please leave
 good reviews in your favorite podcast platform and talk to
 you again on Tuesday. Bye.