Podcast Detail

SANS Stormcast Thursday, June 5th, 2025: Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9480.mp3

Podcast Logo
Phishing Comment Trick; AWS default logging mode change; Cisco Backdoor Fixed; Infoblox Vulnerability Details Released
00:00

Phishing e-mail that hides malicious links from Outlook users
Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email’s HTML code. Jan suggests that the phishing email is intented to not expose users of
 https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010

Amazon changing default logging from blocking to non-blocking
Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs.
https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/

Cisco Removes Backdoor
Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

Infoblox Vulnerability Details disclosed
Details regarding several vulnerabilities recently patched in Infoblox’s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical.
https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

Podcast Transcript

 Hello and welcome to the Thursday, June 5th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and this episode brought to you by
 the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations is recorded in Jacksonville, Florida.
 Today we have a diary from Jan about an interesting phishing
 trick that Jan ran across. This phishing trick basically
 hides the malicious link from Outlook users. So at first the
 email looks like, well, any other phishing email. It tries
 to impersonate a bank, but when Jan hovered over the link
 in Outlook, well, the link actually was a normal link for
 this particular bank. So what's the point here? Well,
 essentially what the attacker is likely trying to do here is
 not trigger the phishing attack for Outlook users.
 Because Outlook users are often corporate users. Most
 home users and such may be more susceptible to phishing,
 use webmail browser systems. And the corporate users, of
 course, have more security around their browsing
 experience, which of course could trigger an alert and
 then could lead to the phishing site being
 discovered. So what they're actually doing here is use
 this little trick here with HTML comments. This is a
 specific feature in Outlook that if MSO and you often see
 some sort of product specific features implemented like
 this, where essentially you can display different content
 to Outlook users versus other users. And that's really
 what's happening here. And that's how the non-Outlook
 user is seeing the malicious link, while Outlook users are
 seeing the benign link. Interesting little trick. And
 like I said, it's not necessarily meant to protect
 Outlook users. It's more to hide the malicious link from
 users that are more likely part of a more managed IT
 environment. And then we got an update from Amazon
 regarding the default mode for AWS logging via CloudWatch
 logs and others. And you may have received an email from
 Amazon about this change, but it's easy to miss those
 emails. The main issue is that currently the default logging
 mode is what they call blocking mode. What this means
 is that the application makes sure that all logs are
 actually received. Now, if there is a disruption in
 logging, that may actually then lead to your application
 stopping because, well, it can no longer log. They're going
 to change this now to non -blocking mode, which is kind
 of like, you know, your good old syslog, UDP logging, where
 you're sending the logs, but there is no guarantee that the
 logs are actually being received. If you have your
 logging buffer and so fill up, well, the logs will just get
 lost. The advantage of the course is that now your
 application will not break. It will continue to work. Whether
 or not there's a change that you want or not depends on
 your application. If you rather have the application
 shut down, if logging doesn't work, or if you rather have an
 application running, but without logging, that change
 will become effective on June 25th. So starting June 25th,
 the default logging mode will be the non-blocking mode. Then
 we got a couple of Cisco updates. The one that's really
 noteworthy here is a backdoor they removed from a Cisco
 identity services engine on cloud platforms. Again, one of
 those static credential vulnerabilities, as Cisco
 calls them. Definitely make sure that you do update this
 one. How it affects you depends on the exact
 configuration. So refer to the Cisco advisory for any
 details. And Infoblox patched a number of vulnerabilities in
 its NetMRI system. We now have detailed write-ups on these
 vulnerabilities, including proof of concept. The one that
 you should probably be most worried about is an
 unauthenticated command injection vulnerability via
 the get-saml request. Very classic vulnerability if
 you're looking at the code where it does actually just
 pass the saml ID here without any proper input validation or
 output encoding to this Perl script that then basically
 does the saml authentication. This is Ruby code in Ruby. The
 p-open command actually would have allowed for a better
 method to implement this by actually passing these
 arguments as separate arguments to popen. But well,
 Infoblox choose not to take advantage of this feature.
 Well, and that's it for today. So thanks for listening and
 talk to you again tomorrow. Bye. Bye.