Podcast Detail

SANS Stormcast Monday June 30th, 2025: Scattered Spider; AMI BIOS Exploited; Secure Boot Certs Expiring; Microsoft Resliliency Initiative

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9510.mp3

Podcast Logo
Scattered Spider; AMI BIOS Exploited; Secure Boot Certs Expiring; Microsoft Resliliency Initiative
00:00

Scattered Spider Update
The threat actor known as Scattered Spider is in the news again, this time focusing on airlines. But the techniques used by Scattered Spider, social engineering, are still some of the most dangerous techniques used by various threat actors.
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations?e=48754805

AMI BIOS Vulnerability Exploited CVE-2024-54085
A vulnerability in the Redfish remote access software, including AMI’s BIOS, is now being exploited.
https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf
https://eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/

Act now: Secure Boot certificates expire in June 2026
The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. 
https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

The Windows Resiliency Initiative: Building resilience for a future-ready enterprise
Microsoft announced more details about its future security and resilience strategy for Windows. In particular, security tools will no longer have kernel access, which is supposed to prevent a repeat of the Cloudflare issue, but may also restrict security tools’ functionality.
https://blogs.windows.com/windowsexperience/2025/06/26/the-windows-resiliency-initiative-building-resilience-for-a-future-ready-enterprise/

Podcast Transcript

 Hello and welcome to the Monday, June 30th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today's episode is brought to
 you by the Master's Degree Program in Information
 Security Engineering with SANS.edu and it is recorded in
 Stockheim, Germany. I want to start today with a little note
 about Scattered Spider. This is not news by any means.
 Scattered Spider has been around for a while now. It,
 however, keeps being around, keeps hitting the news because
 they use a technique that has historically been uniquely
 successful and that's social engineering. If you remember
 groups like Lapsus, for example, which as it later
 turned out, were in no way sort of not super
 sophisticated nation-state actors, really just teenagers
 that basically conducted attacks and were able to
 breach fairly well defended organizations. Same with
 Scattered Spider, even though I haven't really seen any sort
 of real attribution what Scattered Spider may sort of
 be all about. But what I want to point out here is a couple
 things. First of all, Mandiant came up with a nice document
 to defend against Scattered Spider, in particular focus on
 some of the identity aspects here. So better monitoring of
 your identity endpoints to maybe detect some takeovers
 here. Also, when you're thinking about user education,
 also consider that when reporting attack attempts is
 an important part here. It's really not realistic to
 attempt to train every employee in a large company to
 detect these attacks, but some may detect them. And by
 reporting them, you may then be able to detect successful
 attempts as well. So keep that in mind. And also, like if
 you're rethinking some things like, for example, password
 resets, particular two-factor authentication resets. That's
 sort of often not very well done part here. Try maybe to
 rely less on anonymous help desks, but maybe get more
 colleagues, direct supervisors involved in that, which
 usually works better. They usually have a better way to
 identifying and authenticating a particular user they work
 with on a day-to-day basis. So back in March, AMI published
 vulnerability in its BIOS. Well, it's actually in the
 Redfish part. If you're not familiar with Redfish, it's
 one of the commonly used web -based remote access
 management tools that sort of allow you to access servers
 out of band and do things like further upgrades, power cycle,
 and the like with these servers. This vulnerability
 was back then, back in March, also written up by Eclipsium,
 the company that originally found the vulnerability. And
 back then, really, there was pretty much an exploit
 available for this very simple authentication bypass. It just
 requires adding the right additional header to the
 request, and you would be able to basically execute arbitrary
 commands without having to authenticate. Well, Sisa now
 added this vulnerability to its already exploited
 vulnerabilities list. So it's now officially being exploited
 in the wild, something you definitely must address now. I
 know it's not always easy to update BIOSes. And well, given
 that it was released in March, that gave you now about three,
 four months, which still is a little bit a tight deadline
 for a vulnerability like this. So definitely try to
 accelerate this and try to get this vulnerability. And
 talking about BIOS updates and little things that take some
 time and preparation, Microsoft is alerting
 everybody to get ready for the expiration of the original
 Secure Boot certificates next year. So just a year from now,
 June 2026, the certificates will expire. Turns out it's 15
 years that Microsoft originally introduced Secure
 Boot. Now Microsoft's Windows Update will give you new
 certificates. However, there is a little complication here
 in that it only really works for you if your system is
 sending diagnostic data back to Microsoft. Since these are
 really part of the BIOS, they are somewhat specific to the
 machine you're running. And Microsoft is collecting data
 as to what machines they need to push out the certificates
 for and how to push them out. So definitely make sure that
 you're allowing that data to be sent back. If not, well,
 refer to Microsoft's additional analysis. Also, if
 it's a more enterprise managed system, Microsoft did publish
 a blog post with various scenarios and how to make sure
 that you will get these updates over the next year.
 There's also the complication if you're still running
 Windows 10. The update will only be available until
 October this year. So definitely either make sure
 you get it updated before then or update to Windows 10.
 Windows 11, which is probably the right option anyway, but
 you may run Windows 10 for some specific software
 compatibility issue.
 Microsoft also published a fairly extensive blog post
 about its resiliency initiative that basically
 outlines future changes Microsoft is going to make to
 Windows in order to make it more resilient and more
 secure. Microsoft is going to make sure one of the big
 somewhat controversial items here that arise arose from the
 Cloudflare incident is that Microsoft will make it more
 difficult or impossible for software to actually live in
 the kernel. In particular, in particular, security software,
 of course, has often taken advantage from the additional
 protection that the kernel provides or running with
 kernel privileges and also sort of the access to any
 metrics and such that this provides. But that may no
 longer be possible. So we'll have to see how this will all
 work out. But interesting blog post to read to get a little
 bit of insight into what Microsoft is up to. Well, and
 this is it for today. Now, today or this week rather is
 again sort of a travel week for me. Also, there is a
 holiday July 4th on Friday. So my current plan is to only
 release one more podcast this week, and that would be for
 Thursday, July 3rd. So no podcast Tuesday, Wednesday,
 but Thursday there will be one. And then, of course, no
 podcast on July 4th. Thanks for listening and talk to you
 again then on July 3rd on Thursday. See you again then.