Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Monday, July 14th, 2025: Web Honeypot Log Volume; Browser Extension Malware; RDP Forensics
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9526.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
DShield Honeypot Log Volume Increase
Within the last few months, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from Jesse’s residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that Jesse runs.
https://isc.sans.edu/diary/DShield+Honeypot+Log+Volume+Increase/32100
Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.
Koi Security’s investigation of a single “verified” color picker exposed a coordinated campaign of 18 malicious extensions that infected a massive 2.3 million users across Chrome and Edge.
https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5
RDP Forensics
Comprehensive overview of Windows RDP Forensics
https://medium.com/@mathias.fuchs/chasing-ghosts-over-rdp-lateral-movement-in-tiny-bitmaps-328d2babd8ec
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
The Shibboleth vulnerability is quite interesting. In their example, the SAML signature covers the entire and they've made modifications to it (the changes to the uid) that should cause the signature to fail validation. This vulnerability speaks to larger architectural issues with Shibboleth. Obviously the signature validation is happening on a DIFFERENT document (the inline DTD defs are resolved and replaced) than the attribute extraction code works on (the inline DTD variables are not replaced). This is a HUGE no no and leads to the confused deputy issues that caused the vulnerability. I would bet other SP SAML parsing code is making similar mistakes.
Posted by Anonymous on Tue Jan 16 2018, 16:54
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Make the web a better place by sharing the SANS Internet Storm Center with others
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 