SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Katz Stealer in JPG Xavier found some multistage malware that uses an Excel Spreadsheet and an HTA file to load an image that includes embeded a copy of Katz stealer. https://isc.sans.edu/diary/More+Steganography/32044 https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/ JavaScript obfuscated with JSF*CK is being used on over 200,000 websites to direct victims to malware Expired Discord Invite Links Used for Malware Distribution Expired discord invite links are revived as vanity links to direct victims to malware sites https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/

Automated Tools to Assist with DShield Honeypot Investigations https://isc.sans.edu/diary/Automated%20Tools%20to%20Assist%20with%20DShield%20Honeypot%20Investigations%20%5BGuest%20Diary%5D/32038 EchoLeak: Zero-Click Microsoft 365 Copilot Data Leak Microsoft fixed a vulnerability in Copilot that could have been abused to exfiltrate data from Copilot users. Copilot mishandled instructions an attacker included in documents inspected by Copilot and executed them. https://www.aim.security/lp/aim-labs-echoleak-blogpost Thunderbolt Vulnerability Thunderbolt users may be tricked into downloading arbitrary files if an email includes a mailbox:/// URL. https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/

Quasar RAT Delivered Through Bat Files Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT. https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036 Delayed Windows 11 24H2 Rollout Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes. https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570 An In-Depth Analysis of CVE-2025-33073 Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it. https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 Connectwise Rotating Signing Certificates Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration. https://www.connectwise.com/company/trust/advisories KDE Telnet URL Vulnerablity The Konsole delivered as part of KDE may be abused to execute arbitrary code via telnet URLs. https://kde.org/info/security/advisory-20250609-1.txt

Microsoft Patch Tuesday Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032 Adobe Vulnerabilities Adobe released patches for 7 different applications. Two significant ones are Adobe Commerce and Adobe Acrobat Reader. All vulnerabilities patched for Adobe Commerce can only be exploited by an authenticated user. The Adobe Acrobat Reader vulnerabilities are exploited by a user opening a crafted PDF, and the exploit may execute arbitrary code. https://helpx.adobe.com/security/Home.html

OctoSQL & Vulnerability Data OctoSQL is a neat tool to query files in different formats using SQL. This can, for example, be used to query the JSON vulnerability files from CISA or NVD and create interesting joins between different files. https://isc.sans.edu/diary/OctoSQL+Vulnerability+Data/32026 Mirai vs. Wazuh The Mirai botnet has now been observed exploiting a vulnerability in the open-source EDR tool Wazuh. https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability DNS4EU The European Union created its own public recursive resolver to offer a public resolver compliant with European privacy laws. This resolver is currently operated by ENISA, but the intent is to have a commercial entity operate and support it by a commercial entity. https://www.joindns4.eu/ WordPress FAIR Package Manager Recent legal issues around different WordPress-related entities have made it more difficult to maintain diverse sources of WordPress plugins. With WordPress plugins usually being responsible for many of the security issues, the Linux Foundation has come forward to support the FAIR Package Manager, a tool intended to simplify the management of WordPress packages. https://github.com/fairpm

Extracting With pngdump.py Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file. https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022 16 React Native Packages for GlueStack Backdoored Overnight 16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks. https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem Atomic MacOS Stealer Exploits Clickfix MacOS users are now also targeted by fake captchas, tricking users into running exploit code. https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers Microsoft INETPUB Script Microsoft published a simple PowerShell script to restore the inetpub folder in case you removed it by mistake. https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0

Be Careful With Fake Zoom Client Downloads Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an update to the Zoom client. https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014 Python tarfile Vulnerability Recently, the Python tarfile module introduced a filter option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should. https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS) https://www.zerodayinitiative.com/advisories/ZDI-25-325/

Phishing e-mail that hides malicious links from Outlook users Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email s HTML code. Jan suggests that the phishing email is intented to not expose users of https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010 Amazon changing default logging from blocking to non-blocking Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs. https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/ Cisco Removes Backdoor Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7 Infoblox Vulnerability Details disclosed Details regarding several vulnerabilities recently patched in Infoblox s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical. https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

vBulletin Exploits CVE-2025-48827, CVE-2025-48828 We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched. https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006 Google Chrome 0-Day Patched Google released a security update for Google Chrome patching three flaws. One of these is already being exploited. https://chromereleases.googleblog.com/ Roundcube Update Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 HP Vulnerabilities in StoreOnce HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Simple SSH Backdoor Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host. https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000 Google Chrome to Distrust CAs Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire. https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html Microsoft Emergency Update to Fix Crashes Caused by May Patch Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys Qualcomm Adreno Graphics Processing Unit Patch (Exploited!) Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices. https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html