Podcast Detail

SANS Stormcast Tuesday, June 24th, 2025: Ichano ATHome IP Camera Scans; Netscaler Vulnerability; WinRar Vulnerability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9502.mp3

previous
Podcast Logo
Ichano ATHome IP Camera Scans; Netscaler Vulnerability; WinRar Vulnerability
00:00

Scans for Ichano AtHome IP Cameras
A couple days ago, a few sources started scanning for the username super_yg and the password 123. This is associated with Ichano IP Camera software.
https://isc.sans.edu/diary/Scans%20for%20Ichano%20AtHome%20IP%20Cameras/32062

Critical Netscaler Security Update CVE-2025-5777
CVE 2025-5777 is a critical severity vulnerability impacting NetScaler Gateway, i.e. if NetScaler has been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console/

WinRar Vulnerability CVE-2025-6218
WinRar may be tricked into extracting files into attacker-determined locations, possibly leading to remote code execution
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9

Podcast Transcript

 Hello and welcome to the Tuesday, June 24, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today's episode is brought to you by
 the SANS.edu graduate certificate program in
 cybersecurity leadership and it is recorded in Stockheim,
 Germany. Now today I noticed that some telnet /ssh scanners
 did use a little bit an odd username, super underscore YG.
 This started on the 18th, so a couple of days ago and has
 been used persistently since then by about a dozen
 different IP addresses. That in addition to this username,
 they also scanned for some fairly common usernames like
 root, guest and other sort of common default username and
 password combinations. So this one stuck out a little bit.
 Turns out it's associated with an older vulnerability from
 2017 in software that is called IP cameras and made by
 a company that I believe is pronounced Ichano. Now the
 issue here is that even though this particular vulnerability
 was discovered and reported in 2017, there is no real
 evidence that this default username and password has ever
 been removed from this particular product. This is an
 IP camera product, but not your usual sort of standalone
 IP camera. It's actually software that can be used to
 turn smartphones, tablets, laptops and such into IP
 cameras for surveillance, for security cameras. And with
 that, of course, a lot of the functionality and that common
 vulnerabilities that we often find in these type of cameras
 are being exposed. And then if you are running Citrix's
 NetScaler Appliance as well, it's update time for you. Last
 week, Citrix did release a critical update. This fixes a
 vulnerability that does allow unauthenticated users access
 to session IDs, which then, of course, could just simply be
 used to log in. As any of the users these sessions are
 associated with. An update is available. You're vulnerable
 if you're using the device as a gateway, VPN server and the
 like. So not all devices are necessarily vulnerable, but
 certainly, well, consider yourself vulnerable if you're
 running an effective device and please update. It does
 also say that you should kill all active sessions.
 Interestingly, they specifically say not to just
 rely on rebooting the devices. I'm not sure if during a
 reboot some of the sessions may be maintained, may be safe
 and then reinstated later. I'm not that familiar with
 NetScaler, but they specifically say don't just
 rely on rebooting, but also run the commands and read the
 advisory for details to actually terminate any
 existing sessions. Because these sessions, again, may
 have leaked to an attacker. And the attacker, of course,
 once they have access to sessions, can access any of
 these users' permissions and data, keys and the like. So if
 you are vulnerable and you find evidence of compromise,
 you definitely have a big problem here. At this point,
 there is no public exploit I'm aware of. But the very similar
 prior exploit, the Citrix Leak exploit, has been widely
 exploited a couple of years ago. So definitely, I would
 assume that an exploit, if it's not already available,
 will soon become available for this vulnerability. And WinRAR
 released a new beta version 7 .12 beta 1 that fixes critical
 vulnerability affecting prior non-beta versions of WinRAR.
 No idea when the final 7.12 will be released. But you may
 want to consider, if you're using WinRAR to install this
 beta version, the vulnerability would trick
 WinRAR into extracting from a crafted archive files into
 essentially arbitrary attacker -determined locations. Which
 then, of course, could also lead to arbitrary code
 execution if the right file can be overwritten.
 Interesting vulnerability. We have seen very similar
 vulnerabilities often in similar software. So I would
 certainly expect exploit for this vulnerability to surface
 pretty soon. Well, that is it for today. So thanks for
 listening and talk to you again tomorrow. Bye. Bye. Bye
 -bye.