Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Friday, April 25th: SMS Gateway Scans; Comvault Exploit; Patch Window Shrinkage; More inetpub issues;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9424.mp3
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
Attacks against Teltonika Networks SMS Gateways
Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords.
https://isc.sans.edu/diary/Attacks%20against%20Teltonika%20Networks%20SMS%20Gateways/31888
Commvault Vulnerability CVE-2205-34028
Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability
https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
Exploitation Trends Q1 2025
Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available.
https://vulncheck.com/blog/exploitation-trends-q1-2025
inetpub directory issues
The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad.
https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 5th - May 10th 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Jun 2nd - Jun 7th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
Podcast Transcript
Hello and welcome to the Friday, April 25th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich and today I'm recording from Jacksonville, Florida. Well, in diaries today, some of our honeypots got scanned for what looks like attempts to use them as SMS gateways. The URLs suggest that the attacker here is looking for SMS gateways made by Teltonika. Teltonika makes a wide range of SMS gateways from IoT-centered devices to enterprise gateways. But the fundamental idea of all of these devices is that you're connecting to them via an IP connection and then use them to send SMS messages. This, of course, happens via a relatively straightforward API. And, well, as so often, there are some default users and default passwords that are being used. That's exactly what the attacker was looking for here. Typically, according to the documentation I found, there is a user1 that's always defined. Now, it's a password is usually a user_pass, but looks like an addition to that one password. They're also looking for a couple others. Not sure if they're just common passwords being used or depending on the exact device they're looking for, whether or not there's a range of different default passwords being used. There's one that's a little bit interesting, if anybody has any idea, this P8XR password. That's sort of just a random string. Google search didn't return anything for this random string. Now, in order to confirm whether or not the particular gateway they're connecting to is able to send SMS messages, they're then sending a quick test to one of the attacker's phone numbers. And there are two phone numbers that we have seen so far. One in Saudi Arabia and one in Belgium. Of course, they themselves could then be again some kind of SMS to email gateway or something like this that would then be used to receive those messages. As always, make sure that you're changing default passwords. And yeah, please don't buy any devices that come with simple default passwords like that. And users of Commvault backup solution, be aware that, well, there is not only a new remote code execution vulnerability that does not require any authentication, but in addition, there is also a great detailed write-up by watchTowr with the usual snark mixed in it and also an exploit that's relatively easy to replicate once you see it here at the blog. The first thing that the attacker would do is deploy a new package. And that's sort of the root cause of the vulnerability here, where the attacker would essentially just upload a web shell here via that command center deploy web package dot do endpoint. No authentication required here. And then next, this particular package can be used to, for example, upload a web shell. And then it can be used to execute additional arbitrary code. Not a difficult vulnerability at all to exploit. So definitely be aware of this vulnerability. It is a must patch now vulnerability. I looked at our logs, haven't seen any hits in our honeypots yet. But then again, these calm wall systems are fairly easy to identify. So I would think that some targeted attacks are already underway. And talking about how quickly vulnerabilities are being exploited, Vulncheck put together a little bit statistics based on the non-exploited vulnerabilities. And in quarter one of 2025, they observed out of the 159 non -exploited vulnerabilities, about a quarter, actually a little bit more, were exploited in less than a day. And that's very typical. I think it doesn't really matter when a vulnerability is being made public. But as soon as an exploit becomes public, it's widely exploited. And that's what we keep seeing in our data. Now, they also broke it down a little bit by different categories. And here, of course, network edge devices are very big operating systems. Also, a lot of content management systems, which I have to admit, I keep ignoring, because there's just too many, like the WordPress vulnerabilities and the like, that keep coming up, but once you're looking at plugins and such, where there's really no point in really enumerating them, you're probably vulnerable if you have a certain number of plugins running in these systems. Then the issue with, well, inetpub is not going away. Remember, this was the problem that we kind of had last month, where Microsoft released an update and then created this directory. That's usually used by internet information servers. Well, Kevin Beaumont now on his blog did publish a little exploit where you are just adding a junction for inetpub to a system binary. And any user can do that on Windows. This will break updates going forward. So now the April update cannot apply. It cannot create that directory. And also future updates will likely fail. We'll see if Microsoft is adding some additional fixes here to the May update. That's, well, coming out in a couple of weeks. Nothing at this point that you have to do about this particular issue, but just be aware of any odd juncture that you may find on systems. That's it for today. Thanks again for listening. Thanks for recommending the podcast. And as always, if you talk someone at SANS, well, just let them know how much you like this podcast. Thanks and talk to you again on Monday. Bye. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 