Best The Plex Files Podcasts (2025)

1
SANS Stormcast Friday, September 19th, 2025: Honeypot File Analysis (@sans_edu); SonicWall Breach; DeepSeek Bias; Chrome 0-day 7:14

Play Pause

1h ago7:14

7:14

Exploring Uploads in a Dshield Honeypot Environment This guest diary by one of our SANS.edu undergraduate interns shows how to analyze files uploaded to Cowrie https://isc.sans.edu/diary/Exploring%20Uploads%20in%20a%20Dshield%20Honeypot%20Environment%20%5BGuest%20Diary%5D/32296 Sonicwall Breach SonicWall MySonicWall accounts were breached via crede…

1
SANS Stormcast Thursday, September 18th, 2025: DLL Hooking; Entra ID Actor Tokens; Watchguard and NVidia Patches 6:31

10h ago6:31

6:31

CTRL-Z DLL Hooking Attackers may use a simple reload trick to overwrite breakpoints left by analysts to reverse malicious binaries. https://isc.sans.edu/diary/CTRL-Z%20DLL%20Hooking/32294 Global Admin in every Entra ID tenant via Actor tokens As part of September s patch Tuesday, Microsoft patched CVE-2025-55241. The discoverer of the vulnerability…

1
SANS Stormcast Wednesday, September 17th, 2025: Phishing Resistants; More npm Attacks; ChatGPT MCP abuse 8:47

1h ago8:47

8:47

Why You Need Phishing-Resistant Authentication NOW. The recent compromise of a number of high-profile npmjs.com accounts has yet again shown how dangerous a simple phishing email can be. https://isc.sans.edu/diary/Why%20You%20Need%20Phishing%20Resistant%20Authentication%20NOW./32290 S1ngularity/nx Attackers Strike Again A second wave of attacks has…

1
SANS Stormcast Tuesday, September 16th, 2025: Apple Updates; Rust Phishing; Samsung 0-day 6:42

1h ago6:42

6:42

Apple Updates Apple released major updates for all of its operating systems. In addition to new features, these updates patch 33 different vulnerabilities. https://isc.sans.edu/diary/Apple%20Updates%20Everything%20-%20iOS%20macOS%2026%20Edition/32286 Microsoft End of Life October 14th, support for Windows 10, Exchange 2016, and Exchange 2019 will e…

1
SANS Stormcast Monday, September 15th, 2025: More Archives; Salesforce Attacks; White Cobra; BSides Augusta 6:06

18h ago6:06

6:06

Web Searches For Archives Didier observed additional file types being searched for as attackers continue to focus on archive files as they spider web pages https://isc.sans.edu/diary/Web%20Searches%20For%20Archives/32282 FBI Flash Alert: Salesforce Attacks The FBI is alerting users of Salesforce of two different threat actors targeting Salesforce. …

1
SANS Stormcast Friday, September 12th, 2025: DShield SIEM Update; Another Sonicwall Warning; Website Keystroke Logging 6:38

9d ago6:38

6:38

DShield SIEM Docker Updates Guy updated the DShield SIEM which graphically summarizes what is happening inside your honeypot. https://isc.sans.edu/diary/DShield%20SIEM%20Docker%20Updates/32276 Again: Sonicwall SSL VPN Compromises The Australian Government s Signals Directorate noted an increase in compromised Sonicwall devices. https://www.cyber.go…

1
SANS Stormcast Thursday, September 11th, 2025: BASE64 in DNS; Google Chrome, Ivantii and Sophos Patches; Apple Memory Integrity Feature 7:12

16h ago7:12

7:12

BASE64 Over DNS The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these invalid characters. https://isc.sans.edu/diary/BASE64%20Over%20DNS/32274 Google Chrome Update Google released an update for Google Chrome, addressing two vulnerabilities. One of the vulnerabilities is rated critical and…

1
SANS Stormcast Wednesday, September 10th, 2025: Microsoft Patch Tuesday; 8:25

31m ago8:25

8:25

Microsoft Patch Tuesday As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical. https://isc.sans.edu/diary…

1
SANS Stormcast Tuesday, September 9th, 2025: Major npm compromise; HTTP Request Signature 8:44

4h ago8:44

8:44

Major npm compromise A number of high-profile npm libraries were compromised after developers fell for a phishing email. This compromise affected libraries with a total of hundreds of millions of downloads a week. https://bsky.app/profile/bad-at-computer.bsky.social/post/3lydioq5swk2y https://github.com/orgs/community/discussions/172738 https://git…

1
SANS Stormcast Monday, September 8th, 2025: YARA to Debugger Offsets; SVG JavaScript Phishing; FreePBX Patches; 5:34

1d ago5:34

5:34

From YARA Offsets to Virtual Addresses Xavier explains how to convert offsets reported by YARA into offsets suitable for the use with debuggers. https://isc.sans.edu/diary/From%20YARA%20Offsets%20to%20Virtual%20Addresses/32262 Phishing via JavaScript in SVG Files Virustotal uncovered a Colombian phishing campaign that takes advantage of JavaScript …

1
SANS Stormcast Friday, September 5th, 2025: Cloudflare Response to 1.1.1.1 Certificate; AI Modem Namespace Reuse; macOS Vulnerability Allowed Keychain Decryption 8:18

11d ago8:18

8:18

Unauthorized Issuance of Certificate for 1.1.1.1 Cloudflare published a blog post with more details regarding the bad 1.1.1.1 certificate that was issued by Fina. https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1/ AI Model Namespace Reuse Deleted accounts on Huggingface can be taken over by other entities unrelated to th…

1
SANS Stormcast Thursday, September 4th, 2025: Dassault DELMIA Apriso Exploit Attempts; Android Updates; 1.1.1.1 Certificate Issued 6:22

16d ago6:22

6:22

Exploit Attempts for Dassault DELMIA Apriso. CVE-2025-5086 Our honeypots detected attacks against the manufacturing management system DELMIA Apriso. The deserialization vulnerability was patched in June and is one of a few critical vulnerabilities patched in recent months. https://isc.sans.edu/diary/Exploit%20Attempts%20for%20Dassault%20DELMIA%20Ap…

1
SANS Stormcast Wednesday, September 3rd, 2025: Sextortiion Analysis; Covert Channel DNS/ICMP; Azure AD Secret Theft; Official FreePBX Patches 5:29

6d ago5:29

5:29

A Quick Look at Sextortion at Scale Jan analyzed 1900 different sextortion messages using 205 different Bitcoin addresses to look at the success rate, lifetime, and other metrics defining these campaigns. https://isc.sans.edu/diary/A%20quick%20look%20at%20sextortion%20at%20scale%3A%201%2C900%20messages%20and%20205%20Bitcoin%20addresses%20spanning%2…

1
SANS Stormcast Tuesday, September 2nd, 2025: pdf-parser Patch; Salesloft Compromise; Velociraptor Abuse; NeuVector Default Password 5:39

18d ago5:39

5:39

pdf-parser: All Streams Didier released a new version of pdf-parser.py. This version fixes a problem with dumping all filtered streams. https://isc.sans.edu/diary/pdf-parser%3A%20All%20Streams/32248 Salesloft Drift Putting OAuth Tokens at Risk OAuth tokens used by Salesloft Drift users to provide access to integrations with Salesforce, Google Works…

1
SANS Stormcast Friday, August 29th, 2025: Scans for ZIP Files; FreePBX 0-Day; Passwordstate Patch 5:45

18d ago5:45

5:45

Increasing Searches for ZIP Files Attackers are scanning our honeypots more and more for .zip files. They are looking for backups of credential files and the like left behind by careless administrators and developers. https://isc.sans.edu/diary/Increasing%20Searches%20for%20ZIP%20Files/32242 FreePBX Vulnerability An upatched vulnerability in FreePB…

1
SANS Stormcast Thursday, August 28th, 2025: Launching Shellcode; NX Compromise; Volt Typhoon Report 6:39

19d ago6:39

6:39

Interesting Technique to Launch a Shellcode Xavier came across malware that PowerShell and the CallWindowProcA() API to launch code. https://isc.sans.edu/diary/Interesting%20Technique%20to%20Launch%20a%20Shellcode/32238 NX Compromised to Steal Wallets and Credentials The popular open source NX build package was compromised. Code was added that uses…

1
SANS Stormcast Wednesday, August 27th, 2025: Analyzing IDNs; Netscaler 0-Day Vuln; Git Vuln Exploited; 5:43

13d ago5:43

5:43

Getting a Better Handle on International Domain Names and Punycode International Domain names can be used for phishing and other attacks. One way to identify suspect names is to look for mixed script use. https://isc.sans.edu/diary/Getting%20a%20Better%20Handle%20on%20International%20Domain%20Names%20and%20Punycode/32234 Citrix Netscaler Vulnerabil…

1
SANS Stormcast Tuesday, August 26th, 2025: Decoding Word Reading Location; Image Downscaling AI Vulnerability; IBM Jazz Team Server Vuln 5:01

26d ago5:01

5:01

Reading Location Position Value in Microsoft Word Documents Jessy investigated how Word documents store the last visited document location in the registry. https://isc.sans.edu/diary/Reading%20Location%20Position%20Value%20in%20Microsoft%20Word%20Documents/32224 Weaponizing image scaling against production AI systems AI systems often downscale imag…

1
SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions 6:04

25d ago6:04

6:04

The end of an era: Properly formatted IP addresses in all of our data. When initiall designing DShield, addresses were zero padded , an unfortunate choice. As of this week, datafeeds should no longer be zero padded . https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228 .d…

1
SANS Stormcast Friday, August 22nd, 2025: The -n switch; Commvault Exploit; Docker Desktop Escape Vuln; 6:52

26d ago6:52

6:52

Don't Forget The "-n" Command Line Switch Disabling reverse DNS lookups for IP addresses is important not just for performance, but also for opsec. Xavier is explaining some of the risks. https://isc.sans.edu/diary/Don%27t%20Forget%20The%20%22-n%22%20Command%20Line%20Switch/32220 watchTowr releases details about recent Commvault flaws Users of the …

1
SANS Stormcast Thursday, August 21st, 2025: Airtel Scans; Apple Patch; Microsoft Copilot Audit Log Issue; Password Manager Clickjacking 6:52

19d ago6:52

6:52

Airtel Router Scans and Mislabeled Usernames A quick summary of some odd usernames that show up in our honeypot logs https://isc.sans.edu/diary/Airtel%20Router%20Scans%2C%20and%20Mislabeled%20usernames/32216 Apple Patches 0-Day CVE-2025-43300 Apple released an update for iOS, iPadOS and MacOS today patching a single, already exploited, vulnerabilit…

1
SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues 6:07

20d ago6:07

6:07

Increased Elasticsearch Recognizance Scans Our honeypots noted an increase in reconnaissance scans for Elasticsearch. In particular, the endpoint /_cluster/settings is hit hard. https://isc.sans.edu/diary/Increased%20Elasticsearch%20Recognizance%20Scans/32212 Microsoft Patch Tuesday Issues Microsoft noted some issues deploying the most recent patch…

1
SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln; 5:10

1M ago5:10

5:10

Keeping an Eye on MFA Bombing Attacks Attackers will attempt to use authentication fatigue by bombing users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem. https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208 Critical Cisco Secure Firewall Management Ce…

1
SANS Stormcast Monday, August 18th, 2025: 5G Attack Framework; Plex Vulnerability; Fortiweb Exploit; Flowise Vuln 5:43

1M ago5:43

5:43

SNI5GECT: Sniffing and Injecting 5G Traffic Without Rogue Base Stations Researchers from the Singapore University of Technology and Design released a new framework, SNI5GECT, to passively sniff and inject traffic into 5G data streams, leading to DoS, downgrade and other attacks. https://isc.sans.edu/diary/SNI5GECT%3A%20Sniffing%20and%20Injecting%20…

1
SANS Stormcast Friday, August 15th, 2025: Analysing Attack with AI; Proxyware via YouTube; Xerox FreeFlow Vuln; Evaluating Zero Trust @SANS_edu 15:12

26d ago15:12

15:12

AI and Faster Attack Analysis A few use cases for LLMs to speed up analysis https://isc.sans.edu/diary/AI%20and%20Faster%20Attack%20Analysis%20%5BGuest%20Diary%5D/32198 Proxyware Malware Being Distributed on YouTube Video Download Site Popular YouTube download sites will attempt to infect users with proxyware. https://asec.ahnlab.com/en/89574/ Xero…

1
SANS Stormcast Thursday, August 14th, 2025: Equation Editor; Kerberos Patch; XZ-Utils Backdoor; ForitSIEM/FortiWeb patches 7:16

26d ago7:16

7:16

CVE-2017-11882 Will Never Die The (very) old equation editor vulnerability is still being exploited, as this recent sample analyzed by Xavier shows. The payload of the Excel file attempts to download and execute an infostealer to exfiltrate passwords via email. https://isc.sans.edu/diary/CVE-2017-11882%20Will%20Never%20Die/32196 Windows Kerberos El…

1
SANS Stormcast Wednesday, August 13th, 2025: Microsoft Patch Tuesday; libarchive vulnerability upgrade; Adobe Patches 8:55

27d ago8:55

8:55

Microsoft Patch Tuesday https://isc.sans.edu/diary/Microsoft%20August%202025%20Patch%20Tuesday/32192 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/ libarchive Vulnerability A libarchive vulnerability patched in June was upgraded from a low CVSS score to a critical one. Libarchive is used by compression…

1
SANS Stormcast Tuesday, August 12th, 2025: Erlang OTP SSH Exploits (Palo Alto Networks); Winrar Exploits; Netscaler Exploits; OpenSSH Pushing PQ Crypto; 6:52

1M ago6:52

6:52

Erlang OTP SSH Exploits A recently patched and easily exploited vulnerability in Erlang/OTP SSH is being exploited. Palo Alto collected some of the details about this exploit activity that they observed. https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ WinRAR Exploited WinRAR vulnerabilities are actively being exploited by a number of…

1
SANS Stormcast Monday, August 11th, 2025: Fake Tesla Preorders; Bad USB Cameras; Win-DoS Epidemic 7:07

29d ago7:07

7:07

Google Paid Ads for Fake Tesla Websites Someone is setting up fake Tesla lookalike websites that attempt to collect credit card data from unsuspecting users trying to preorder Tesla products. https://isc.sans.edu/diary/Google%20Paid%20Ads%20for%20Fake%20Tesla%20Websites/32186 Compromising USB Devices for Persistent Stealthy Access USB devices, like…

1
SANS Stormcast Friday, August 8th, 2025:: ASN43350 Mass Scans; HTTP1.1 Must Die; Hyprid Exchange Vuln; Sonicwall Update; SANS.edu Research: OSS Security and Shifting Left 23:59

1M ago23:59

23:59

Mass Internet Scanning from ASN 43350 Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350 https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments HTTP/1.1 Desync Attacks Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particular…

151
SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches 5:06

1M ago5:06

5:06

Do Sextortion Scams Still Work in 2025? Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work. https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178 Akira Ransomware Group s use of Drivers Guidepoint Security obser…

1
SANS Stormcast Wednesday, August 6th, 2025: Machinekeys and VIEWSTATEs; Perplexity Unethical Learning; SonicWall Updates 7:41

1M ago7:41

7:41

Stealing Machinekeys for fun and profit (or riding the SharePoint wave) Bojan explains in detail how .NET uses Machine Keys to protect the VIEWSTATE, and how to abuse the VIEWSTATE for code execution if the Machine Keys are lost. https://isc.sans.edu/diary/Stealing%20Machine%20Keys%20for%20fun%20and%20profit%20%28or%20riding%20the%20SharePoint%20wa…

1
SANS Stormcast Tuesday, August 05, 2025: Daily Trends Report; NVidia Triton RCE; Cursor AI Misconfiguration 6:48

1M ago6:48

6:48

Daily Trends Report A new trends report will bring you daily data highlights via e-mail. https://isc.sans.edu/diary/New%20Feature%3A%20Daily%20Trends%20Report/32170 NVidia Triton RCE Wiz found an interesting information leakage vulnerability in NVidia s Triton servers that can be leveraged to remote code execution. https://www.wiz.io/blog/nvidia-tr…

1
SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day; 5:17

1M ago5:17

5:17

Scans for pop3user with guessable password A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled. https://isc.sans.edu/…

1
SANS Stormcast Friday, August 1st, 2025: Scattered Spider Domains; Excel Blocking Dangerous Links; CISA Releasing Thorium Platform 5:41

2M ago5:41

5:41

Scattered Spider Related Domain Names A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162 Excel External Workbook Links to Blocked File Types Will Be Disabled by Default Excel will discontinue allowing links to dangerous file types …

1
SANS Stormcast Thursday July 31st, 2025: Firebase Security; WebKit Vuln Exploited; Scattered Spider Update 6:40

1M ago6:40

6:40

Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patch…

1
SANS Stormcast Wednesday July 30th, 2025: Apple Updates; Python Triage; Papercut Vuln Exploited 6:44

1M ago6:44

6:44

Apple Updates Everything: July 2025 Edition Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems. https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154 Python Triage A quick python script by Xavier to efficiently search throug…

1
SANS Stormcast Tuesday, July 29th, 2025:Parasitic Exploits; Cisco ISE Exploit; MyASUS Vuln 5:35

2M ago5:35

5:35

Parasitic SharePoint Exploits We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers. https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148 Cisco ISE Vulnerability Exploited A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a bl…

1
SANS Stormcast Monday, July 28th, 2025: Linux Namespaces; UI Automation Abuse; Autoswagger 5:39

2M ago5:39

5:39

Linux Namespaces Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed. https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144 Coyote in the Wild: First-Ever Malware That …

1
SANS Stormcast Friday, July 25th, 2025: ficheck.py; Mital and SonicWall Patches 5:20

2M ago5:20

5:20

New File Integrity Tool: ficheck.py Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions. https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136 Mitel Vulnerability Mitel released…

1
SANS Stormcast Thursday, July 24th, 2025: Reversing SharePoint Exploit; NPM “is” Compromise; 6:53

2M ago6:53

6:53

Reversing SharePoint Toolshell Exploits CVE-2025-53770 and CVE-2025-53771 A quick walk-through showing how to decode the payload of recent SharePoint exploits https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138 Compromised JavaScript NPM is Package The popular npm package is was compromised …

1
SANS Stormcast Wednesday, July 23rd, 2025: Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches 6:17

2M ago6:17

6:17

Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771 Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ WinZip MotW Privacy Starting with version 7.10…

1
SANS Stormcast Tuesday, July 22nd, 2025: SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; Zoho WorkDrive Abused 6:00

2M ago6:00

6:00

Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771 Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-…

1
SANS Stormcast Monday July 21st, 2025: Sharepoint Exploited; Veeam Fake Voicemail Phish; Passkey Phishing Attack 8:05

2M ago8:05

8:05

SharePoint Servers Exploited via 0-day CVE-2025-53770 Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited. https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/ Veeam Voicemail Phishing Attackers appear to impersonate …

1
SANS Stormcast Friday, July 18th, 2025: Extended File Attributes; Critical Cisco ISE Patch; VMWare Patches; Quarterly Oracle Patches 4:55

2M ago4:55

4:55

Hiding Payloads in Linux Extended File Attributes Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data. https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Ex…

1
SANS Stormcast Thursday, July 17th, 2025: catbox.moe abuse; Sonicwall Attacks; Rendering Issues 5:09

2M ago5:09

5:09

More Free File Sharing Services Abuse The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112 Ongoing SonicWall Secure Mobile Access (SMA) Exploitation…

1
SANS Stormcast Wednesday, July 16th, 2025: ADS Keystroke Logger; Fake Homebrew; Broadcom Altiris RCE; Malicious Cursor AI Extensions 5:45

2M ago5:45

5:45

Keylogger Data Stored in an ADS Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108 Malvertising Homebrew An attacker has been attempting to trick users into installing a malicious versi…

1
SANS Stormcast Monday, July 14th, 2025: Web Honeypot Log Volume; Browser Extension Malware; RDP Forensics 6:10

2M ago6:10

6:10

DShield Honeypot Log Volume Increase Within the last few months, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from Jesse s residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that Jesse runs. https://isc.sans.edu/diary/DSh…

1
SANS Stormcast Monday, July 14th, 2025: Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer 6:53

2M ago6:53

6:53

Experimental Suspicious Domain Feed Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes. https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102 Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812 Huntress saw active exploitation of…

1
SANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches; 5:48

2M ago5:48

5:48

SSH Tunneling in Action: direct-tcp requests Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks. https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Act…