Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Monday, July 14th, 2025: Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9524.mp3
My Next Class
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Experimental Suspicious Domain Feed
Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes.
https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102
Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812
Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/
FortiWeb Pre-Auth RCE (CVE-2025-25257)
An exploit for the FortiWeb RCE Vulnerability is now available and is being used in the wild.
https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce
NVIDIA Vulnerable to Rowhammer
NVIDIA has received new research related to the industry-wide DRAM issue known as “Rowhammer”. The research demonstrates a potential Rowhammer attack against an NVIDIA A6000 GPU with GDDR6 Memory. The purpose of this notice is to reinforce already known mitigations to Rowhammer attacks.
https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025
Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Monday, July 14, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today's episode is brought to you by the SANS.edu Graduate Certificate Program in Industrial Control System Security and it is recorded here at SANS Fire in Washington, D.C. Well, this weekend I worked on a new data feed, Suspicious Domains. This is something we used to have in the past. Like years ago, we had a suspicious domain feed and what we did in the past was that we basically aggregated various other public domain feeds in order to then rank them and also look for domains that are sort of more significant by showing up in multiple feeds. The problem with this approach was that, well, these feeds kind of changed. Some of them got discontinued, others changed their licensing that we could no longer use them and redistribute them. So we now take a little bit of a different approach. We already had data of newly registered domains. We offer that as part of our API data. The recent domains feature in our API basically gives you recently registered domains. So what we did now is took an approach that is not new, but where we basically look for odd patterns in these domains. So things like, for example, well -known brand names are often impersonated. We're looking for international characters that are a little bit odd, particularly if multiple different scripts are being used in one domain name. Also things like lots of numbers, high entropy, like these random domain names. What we have right now is probably a little bit more sensitive to phishing domains. The malware domains are probably caught with a lot of these sort of high entropy, these very random domain names. But those are actually a little bit more difficult to find, actually identify and prioritize, because it looks like there are also some legitimate, not really sure what for, but domain names being registered in large numbers that basically include things like the current date or just the random characters that are not necessarily identifiable as malicious. But like I said, it's experimental right now. I'm still experimenting with the different weights we assign to these features and how we exactly calculate the rank here or our score, as we call it. The score is added to our reason domain feeds. I also added the reasons for the scores, the basic keywords telling you what contributed to that score, like if it was the entropy, if it was international domain names or a combination thereof. So let me know if it works for you. I did see a couple interesting domain names that sort of bubbled up to sort of the top 20 there this weekend. But really, I think it needs a little bit more observation and work to sort of fine tune it. So let me know if it works for you or have any suggestions what to improve on this particular data. And for users of Wing FTP, well, there is a critical update available for you and a vulnerability that's already being exploited in the wild. June 30th, RCE Security did release details about this particular flaw, including a proof of concept exploit that pretty much had everything you needed to exploit this vulnerability. Huntress Lab is now saying that this vulnerability is actively being exploited. Now, don't get confused by this being an FTP server, Wing FTP. It actually has a web component that is being exploited here. So it's not the good old FTP protocol that is vulnerable here. The exploit of vulnerability is kind of interesting. It's something that we have definitely seen before, but not all that terribly common. And that's how the null byte is being dealt with. It's often being used like in C and such to terminate strings. Well, it depends really on the language you're using and how you're exactly using this particular string. But the problem is here that you can add additional content, and in particular Lua script code, to the end of your username. You just have to delineate it with a null byte. That way authentication still works because it only looks at the content of the username up to this null byte. But then the entire username you provided is copied into the session file, including that code, which can then lead to remote code execution. So interesting vulnerability and definitely something for web developers and such, of course, also to read up on that you're not making the same mistake. And I guess today is kind of exploit Monday because we have a lot of exploits to vulnerabilities that we recently talked about for the web. That's a vulnerability I think I mentioned on Friday, if I remember correctly. Well, it's being exploited now. There is a blog available that gives you all the details about this vulnerability. It's at its core a SQL injection vulnerability. SQL injection vulnerabilities, of course, can easily lead to remote code execution. If you can write a file, that's exactly what's happening here. You can use SQL injection to write a file on the system and then execute the content of that file. And NVIDIA released the advisory that some of its GPUs are susceptible to the Rohhammer attack. Rohhammer affects DDR memory. And of course, DDR is being used in modern graphic cards. And the problem here is that repeated reading and writing to certain areas of the memory can actually affect even flip bits in other parts of the memory that a user may otherwise not have access to. This is an older vulnerability, originally, I believe, discovered by Google. And pretty much it's sort of inherent, intrinsic to DDR memory. So no big surprise that GPUs and the graphic cards, basically with DDR memory, are susceptible to this vulnerability. Well, and this is it for today. Thanks for listening. Thanks for recommending this podcast. Thanks for leaving good reviews in your favorite podcast platform. And please like and subscribe. And that's it for today. Thanks for listening and talk to you again tomorrow. Bye.