Podcast Detail

SANS Stormcast Monday, July 14th, 2025: Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9524.mp3

previous
Podcast Logo
Suspect Domain Feed; Wing FTP Exploited; FortiWeb Exploited; NVIDIA GPU Rowhammer
00:00

Experimental Suspicious Domain Feed
Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes.
https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102

Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812
 Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible.
https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

FortiWeb Pre-Auth RCE (CVE-2025-25257)
An exploit for the FortiWeb RCE Vulnerability is now available and is being used in the wild.
https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce

NVIDIA Vulnerable to Rowhammer
NVIDIA has received new research related to the industry-wide DRAM issue known as “Rowhammer”. The research demonstrates a potential Rowhammer attack against an NVIDIA A6000 GPU with GDDR6 Memory. The purpose of this notice is to reinforce already known mitigations to Rowhammer attacks.
https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025


Podcast Transcript

 Hello and welcome to the Monday, July 14, 2025 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich and today's episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Industrial Control System Security and it is recorded
 here at SANS Fire in Washington, D.C. Well, this
 weekend I worked on a new data feed, Suspicious Domains. This
 is something we used to have in the past. Like years ago,
 we had a suspicious domain feed and what we did in the
 past was that we basically aggregated various other
 public domain feeds in order to then rank them and also
 look for domains that are sort of more significant by showing
 up in multiple feeds. The problem with this approach was
 that, well, these feeds kind of changed. Some of them got
 discontinued, others changed their licensing that we could
 no longer use them and redistribute them. So we now
 take a little bit of a different approach. We already
 had data of newly registered domains. We offer that as part
 of our API data. The recent domains feature in our API
 basically gives you recently registered domains. So what we
 did now is took an approach that is not new, but where we
 basically look for odd patterns in these domains. So
 things like, for example, well -known brand names are often
 impersonated. We're looking for international characters
 that are a little bit odd, particularly if multiple
 different scripts are being used in one domain name. Also
 things like lots of numbers, high entropy, like these
 random domain names. What we have right now is probably a
 little bit more sensitive to phishing domains. The malware
 domains are probably caught with a lot of these sort of
 high entropy, these very random domain names. But those
 are actually a little bit more difficult to find, actually
 identify and prioritize, because it looks like there
 are also some legitimate, not really sure what for, but
 domain names being registered in large numbers that
 basically include things like the current date or just the
 random characters that are not necessarily identifiable as
 malicious. But like I said, it's experimental right now.
 I'm still experimenting with the different weights we
 assign to these features and how we exactly calculate the
 rank here or our score, as we call it. The score is added to
 our reason domain feeds. I also added the reasons for the
 scores, the basic keywords telling you what contributed
 to that score, like if it was the entropy, if it was
 international domain names or a combination thereof. So let
 me know if it works for you. I did see a couple interesting
 domain names that sort of bubbled up to sort of the top
 20 there this weekend. But really, I think it needs a
 little bit more observation and work to sort of fine tune
 it. So let me know if it works for you or have any
 suggestions what to improve on this particular data. And for
 users of Wing FTP, well, there is a critical update available
 for you and a vulnerability that's already being exploited
 in the wild. June 30th, RCE Security did release details
 about this particular flaw, including a proof of concept
 exploit that pretty much had everything you needed to
 exploit this vulnerability. Huntress Lab is now saying
 that this vulnerability is actively being exploited. Now,
 don't get confused by this being an FTP server, Wing FTP.
 It actually has a web component that is being
 exploited here. So it's not the good old FTP protocol that
 is vulnerable here. The exploit of vulnerability is
 kind of interesting. It's something that we have
 definitely seen before, but not all that terribly common.
 And that's how the null byte is being dealt with. It's
 often being used like in C and such to terminate strings.
 Well, it depends really on the language you're using and how
 you're exactly using this particular string. But the
 problem is here that you can add additional content, and in
 particular Lua script code, to the end of your username. You
 just have to delineate it with a null byte. That way
 authentication still works because it only looks at the
 content of the username up to this null byte. But then the
 entire username you provided is copied into the session
 file, including that code, which can then lead to remote
 code execution. So interesting vulnerability and definitely
 something for web developers and such, of course, also to
 read up on that you're not making the same mistake. And I
 guess today is kind of exploit Monday because we have a lot
 of exploits to vulnerabilities that we recently talked about
 for the web. That's a vulnerability I think I
 mentioned on Friday, if I remember correctly. Well, it's
 being exploited now. There is a blog available that gives
 you all the details about this vulnerability. It's at its
 core a SQL injection vulnerability. SQL injection
 vulnerabilities, of course, can easily lead to remote code
 execution. If you can write a file, that's exactly what's
 happening here. You can use SQL injection to write a file
 on the system and then execute the content of that file. And
 NVIDIA released the advisory that some of its GPUs are
 susceptible to the Rohhammer attack. Rohhammer affects DDR
 memory. And of course, DDR is being used in modern graphic
 cards. And the problem here is that repeated reading and
 writing to certain areas of the memory can actually affect
 even flip bits in other parts of the memory that a user may
 otherwise not have access to. This is an older
 vulnerability, originally, I believe, discovered by Google.
 And pretty much it's sort of inherent, intrinsic to DDR
 memory. So no big surprise that GPUs and the graphic
 cards, basically with DDR memory, are susceptible to
 this vulnerability. Well, and this is it for today. Thanks
 for listening. Thanks for recommending this podcast.
 Thanks for leaving good reviews in your favorite
 podcast platform. And please like and subscribe. And that's
 it for today. Thanks for listening and talk to you
 again tomorrow. Bye.