Podcast Detail

SANS Stormcast Monday, November 24th, 2025: CSS Padding in Phishing; Oracle Identity Manager Scans Update;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9712.mp3

previous
Podcast Logo
CSS Padding in Phishing; Oracle Identity Manager Scans Update;
00:00

My Next Class

Application Security: Securing Web Apps, APIs, and MicroservicesDallasDec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025

… more classes


Use of CSS stuffing as an obfuscation technique?
Phishing sites stuff their HTML with benign CSS code. This is likely supposed to throw of simple detection engines
https://isc.sans.edu/diary/Use%20of%20CSS%20stuffing%20as%20an%20obfuscation%20technique%3F/32510


Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day
Early exploit attempts for the vulnerability were part of Searchlight Cyber’s research effort
https://www.securityweek.com/critical-oracle-identity-manager-flaw-possibly-exploited-as-zero-day/

ClamAV Cleaning Signature Database
ClamAV will significantly clean up its signature database
https://blog.clamav.net/2025/11/clamav-signature-retirement-announcement.html

Podcast Transcript

 Hello and welcome to the Monday, November 24, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in
 cybersecurity fundamentals. Jan came across an interesting
 new technique how attackers are possibly attempting to
 better obfuscate their phishing pages. This started
 with a standard email phish, nothing really all too
 exciting here. Now one of the goals often of attackers is to
 make the email or the webpage look different to the user
 than it looks to an automated system. And that's how we
 sometimes have cascading style sheets being used to, for
 example, mark certain text as invisible. But then of course
 a simple detection engine may not necessarily notice this.
 Here the cascading style sheets are used a little bit
 different. What Jan suggests is that in this case the
 attacker just added cascading style sheets to make the page
 larger. And with that less likely going to be detected as
 malicious. The reason behind this is twofold. First of all,
 some detection engines do have an upper limit as to how much
 text or so they're actually going to scan. So just by
 adding a lot of text and here I think we're dealing with
 about half a megabyte. They may attempt to sort of exceed
 that boundary. The other thing is that the cascading style
 sheet being added to the HTML page here is actually, well,
 just a fairly common bootstrap cascading style sheet. It's
 copy paste. It's not included as it's usually being done. So
 it's not necessarily something where an attacker just added
 it because they may need a feature. And apparently
 they're not actually using any features from this cascading
 style sheet. They're really just using it to pad the
 content. And by padding it with very common benign
 content, of course, they may also slip past some detection
 engines. And last week I talked about the critical
 vulnerability in Oracle Identity Manager where
 Searchlight Cyber had an article about this
 vulnerability and basically explained in detail how to
 exploit this vulnerability. I noted that we did actually see
 a couple exploit attempts against this vulnerability
 prior to the Oracle patch, but also prior to Searchlight
 Cyber releasing anything about this. Well, we now have an
 article here by Security Week from Edward Kovacs who did
 actually reach out to Searchlight Cyber and they
 state the IP addresses from which we detected these
 attacks prior to the release. These actually were part of
 Searchlight Cyber where their research team essentially was
 scanning to figure out how many vulnerable systems there
 are likely. And then we have an update from the Clam AV
 project. Clam AV, the very popular open source anti
 -malware engine. Well, like many projects that have been
 around for a while, Clam AV over 20 years now that has
 been out there, they have a lot of signatures that
 accumulate over the years that are no longer really relevant.
 So in December, they're going to remove a
 lot of the older, no longer relevant signatures. The
 reason this sort of matters is that as a result, the
 signature files will be significantly shorter, like
 about a third or half of the original size, depending on
 how you're exactly downloading them. And if you have any kind
 of checks in your update scripts that make sure that
 the new version isn't significantly shorter than the
 old version, like to avoid partial downloads, for
 example, well, you may get some false positives from
 these scripts, these checks. So just in case you see this,
 that you know why this is happening. Well, and that's it
 for today. Just a quick note, we do have the Thanksgiving
 holiday coming up here in the US and there will only be
 three podcasts this week, Monday, Tuesday, Wednesday,
 this being the Monday podcast. I'm also trying to keep them a
 little bit shorter if possible. Hope that the news
 cycle sort of is cooperating here and we can keep it a
 little bit easier for everybody. Well, that's it.
 Thanks for listening. Thanks for subscribing. Thanks for
 leaving comments about this podcast and talk to you again
 tomorrow. Bye.