Podcast Detail

SANS Stormcast Friday, December 5th, 2025: Compromised Govt System; React Vuln Update; Array Networks VPN Attacks

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9726.mp3

Compromised Govt System; React Vuln Update; Array Networks VPN Attacks

00:00

My Next Class

Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026

… more classes

Nation-State Attack or Compromised Government? [Guest Diary]
An IP address associated with the Indonesian Government attacked one of our interns' honeypots.
https://isc.sans.edu/diary/Nation-State%20Attack%20or%20Compromised%20Government%3F%20%5BGuest%20Diary%5D/32536

React Update
Working exploits for the React vulnerability patched yesterday are not widely available

Array Networks Array AG Vulnerablity
A recently patched vulnerability in Array Networks’ Array AG VPN gateways is actively exploited.
https://www.jpcert.or.jp/at/2025/at250024.html

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Friday, December 5th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Dallas,
 Texas. And this episode is brought to you by the SANS.edu
 graduate certificate program in cloud security. In diaries
 today we do have one of our undergraduate interns again,
 Jackie Nguyen, talking about one of the attack observations
 that she retrieved from her honeypot. In this particular
 case, well, we have an ssh scan. So the initial entry
 vector here was a weak username and password. What
 made this a little bit interesting is that the
 request appeared to come from an Indonesian government
 system. Then, of course, the question is always, can you
 somehow imply intent if such an address is used? Well,
 Jackie here looked closer at the particular sample. It was
 fairly standard, sort of a standard SSH warm that we have
 so many of it. So her conclusion here was that this
 was not actually any kind of government organized or
 attributable event, but instead likely just another
 compromised system that just happened to be inside this
 particular government's network. Of course, packets
 themselves usually don't speak to intent. We would have to
 observe more what the particular attack was actually
 done after, but in this case, it didn't really look like it
 was anything special. In the past, some government actors,
 for example, have used similar techniques to attack home
 routers, the like, in order to then build more sophisticated
 attack networks. Well, that's just a quick update on the
 React vulnerability. There are now working proof of concept
 exploits out there that have been verified that can easily
 be adjusted in order to launch arbitrary code on vulnerable
 systems. So at this point, if you find a vulnerable system,
 assume compromise. We don't see widespread exploitation
 yet in our honeypots. However, it's not that hard to sort of
 know first scan for vulnerable systems and or possibly
 vulnerable systems and then just hit those specific
 systems. So again, assume compromise for any guidance on
 how to figure out if your particular system is
 vulnerable or not. The first stop should be the React blog
 post. There are a number of people that have published
 scanning scripts, either host based or network based. As
 usual, be careful what software you're downloading,
 what you're running and do download these scripts only
 from what you consider a reputable source. Also,
 various standard vulnerability scanners have included modules
 to look for this particular vulnerability.
 And in the past, I've spoken quite frequently about
 vulnerabilities in VPN gateways. Well, we have yet
 another one. But here for a change, it's not sort of one
 of these big name brands we have been talking about so
 often. The Japanese cert in this particular case is
 warning about ongoing active exploitation of a recently
 patched vulnerability in the array networks array AG series
 VPN gateway. I'm personally not familiar with this
 particular gateway. And the main reason I cover it here is
 that it's not just the big name brands that you always
 see in the news that have these vulnerabilities. It's a
 smaller players as well. In this particular case, it
 appears to be some kind of PHP vulnerability. And as so
 often, the attacker uses that then to upload a web shell to
 the gateway. So definitely make sure that you're patched.
 And if your VPN gateway wasn't in the news recently, still a
 good idea to double check that you are up to date. Well, and
 that's it for today. Thanks for listening. Thanks for
 subscribing. And thanks for liking this podcast. And as
 always, special thanks if you're leaving a good comment
 in your favorite podcast platform and talk to you again
 on Monday. Bye.