Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9448.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Apple Updates Everything
Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS.
https://isc.sans.edu/diary/31942
It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities
Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability.
https://isc.sans.edu/diary/It%20Is%202025%2C%20And%20We%20Are%20Still%20Dealing%20With%20Default%20IoT%20Passwords%20And%20Stupid%202013%20Router%20Vulnerabilities/31940
Output Messenger Vulnerability
The internal messenger application “Output Messenger” is currently used in sophisticated attacks. Attackers are exploiting a path traversal vulnerability that has not been fixed.
https://www.outputmessenger.com/cve-2025-27920/
Commvault Correction
Commvault’s patch indeed fixes the recent vulnerability. The “Pioneer Release” Will Dormann used to experiment will only offer patches after it has been registered, which leads to an error when assessing the patch’s efficacy.
https://www.darkreading.com/application-security/commvault-patch-works-as-intended
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Tuesday, May 13th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. And well, today we got patches from Apple. So tomorrow, Microsoft patch Tuesday. Today, Apple patch Monday. Even though, of course, Apple does publish patches not on a regular schedule. This particular update fixes 65 different vulnerabilities. There's one sort of notable vulnerability here and that one is already being exploited. It's an audio stream vulnerability. Apple has released a patch for this particular vulnerability back mid-April, but only for the most recent versions of iOS and macOS. This update now does also update some of the older versions of macOS and iOS. For macOS, it goes back to Ventura, which is 13. So about two years ago. In addition to this particular vulnerability that's already being exploited, there are a number of other notable vulnerabilities. For example, a couple of vulnerabilities in WebKit that could lead to code execution if you're visiting a malicious website. Also kind of an interesting vulnerability in FaceTime, where apparently the mute button didn't always work as expected. Of course, that would be a rather embarrassing mistake in some cases. And our honeypots detected the use of a new username and password combination, and that's Unipi and Unipi.Technology. This particular username and password combination is the default password for devices created by a company called Unipi Technology. And, well, they're sort of in the business of kind of IoT, like home automation, business control systems, and the like. And, yes, they're still using a default password. It is, however, pointed out in their quick start guide as sort of a bold item at the top that you should probably change this particular password. The malware being spread here, well, it smells, looks like Mirai. It also does scan using the good old Netgear vulnerability. That's now, I think, a 12-year-old vulnerability from 2013. I think February 2013 is when it first came out, but was only assigned a CVE number last year. So there's a lot of confusion around this because it's an old vulnerability, but it does have a 2024 CVE number. In particular, if you're looking at this in the context of some of the other news, like the FBI, for example, taking down that botnet of out-of-date and unpatchable routers, which was probably something like this Netgear vulnerability that was used to compromise those routers. Also, we had like a CISA advisory that, well, old vulnerabilities are heavily being used in order to target OT, so ICS technology. And Microsoft is reporting that new vulnerability in output messenger is being actively exploited by a group that Microsoft calls Marble Dust. This particular group attacks, at least with this vulnerability, targets in the Middle East and Europe. Now, output manager is a local messaging application. It's often used by administrators and such to communicate. It's fairly feature-rich, allows the easy exchange of files. And the developer of this application has now actually released a fairly decent blog, a little bit explaining the vulnerability. It's a directory traversal vulnerability. So an attacker can use this vulnerability to gain access to files on the user's system, which, of course, if they contain secrets, credentials and such, could potentially be used to execute code on affected systems. As part of the attack that Microsoft saw, attackers apparently also took over some of the output messenger servers that are typically run locally. So in that case, then, attackers could easily reach out to additional victims that are using this particular server. Definitely update as fast as possible, given the active exploitation of this vulnerability. And then we have an update for the Commvault story. Remember, there was a vulnerability. Then Commvault released a patch. And security researcher Will Dorman stated that the patch didn't completely fix the vulnerability. Commvault now came out saying that, well, they did actually fix the vulnerability. And Dorman also corrected kind of his original assessment that when he downloaded the version that I guess is described as a pioneer release, it doesn't actually come with any patches and updates until you actually register this version of the software. So you only get security updates as a paid license customer. If you're just downloading the test release, you may not get the latest, greatest version with all the patches applied. Well, and that's it for today. So thanks for listening. And just a quick note, I haven't mentioned Sans Fire. Well, you may see at the top the URL scrolling by in the beginning and the end of the podcast. But I just want to point out that we actually are now getting together yet another one of our honeypot workshops. So we'll give away something like 20 honeypots for anybody interested in running them in their network. Also walk you through how to install them during an evening event at Sans Fire. That's it for today. Thanks for listening and talk to you again tomorrow. Bye. Bye.