Podcast Detail

SANS Stormcast Tuesday, July 29th, 2025:Parasitic Exploits; Cisco ISE Exploit; MyASUS Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9546.mp3

previous
Podcast Logo
Parasitic Exploits; Cisco ISE Exploit; MyASUS Vuln
00:00

Parasitic SharePoint Exploits
We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers.
https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148

Cisco ISE Vulnerability Exploited
A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user.
https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability

MyAsus Vulnerablity
The “MyAsus” tool does not store its access tokens correctly, potentially providing an attacker with access to sensitive functions
https://www.asus.com/content/security-advisory/

Podcast Transcript

 Hello and welcome to the Tuesday, July 29th, 2025
 edition of the SANS Internet StormCenters Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida, and this episode is brought to you
 by the SANS.edu graduate certificate program in
 incident response. Yesterday, I think I mentioned these
 parasitic attacks against the back doors that were left
 behind by SharePoint exploits, wrote up some of this a little
 bit today, and also here a quick graph is what I
 published there, showing how these particular attacks
 evolved. They started pretty much on the 20th, that's sort
 of when this entire SharePoint issue sort of hit the news big
 time, then rose quickly since then somewhat steady, maybe a
 little drop here the last couple of days, but many of
 these attacks are also coming from researchers that are just
 trying to figure out how many systems are affected from
 these attacks. Now, the other thing I publish as part of
 this is the different URLs that are being hit here.
 Interestingly, there's one URL that was hit on the 13th, and
 also one of the 16th one really was just an exploit. So
 on the 13th, the URL teams logon.aspx was hit. Not sure.
 I haven't had a chance to look at this on a real SharePoint
 server to see if that URL actually exists. I don't think
 it does exist. So this would be possibly an early left
 behind the sort of back door that someone was looking for
 here before the attack sort of really blew up. Then on the
 16th, we see the toolpane .aspx. Again, that's from our
 honeypots. So that's when we saw the initial attacks in our
 honeypots. And then, of course, it continues on the
 19th with spinstall0. They're varying also a little bit than
 the number here, like spinstall8 was one or
 spinstallx that we see. And a couple others like xxx.aspx is
 sort of interesting sys layouts. So maybe something
 that attempts to fit a little bit better into the overall
 naming scheme and such to make it less suspicious as a file.
 Anyway, these attacks are still ongoing. Just as a
 reminder, if you do see an unpatched SharePoint server,
 it has been compromised at this point, in particular if
 it's being exposed. Haven't seen any exploits yet that
 remove some of these back doors, but that would be sort
 of logic next step for an attacker to basically remove
 evidence also after they attack a particular system. So
 really careful. Look over your logs. Make sure that you're
 not missing anything. Rebuild. Patch the server. And
 definitely rotate the machine keys. And the ZeroDay initiative
 released a blog post with details regarding two related
 vulnerabilities that were patched by Cisco in June 25th.
 And then a couple weeks later, a second patch was released
 around July 17th. These vulnerabilities are now
 actively exploited according to Cisco. They affect the
 identity services engine. I think I mentioned them a
 couple weeks ago when the patch was released for these
 particular vulnerabilities. And they may get an attacker
 from being unauthenticated all the way to executing arbitrary
 code. And this particular blog post goes through all the
 steps necessary with sample code. So everything that you
 need to exploit the vulnerability is here and is
 public. And so far, it's just fair to assume, as Cisco did
 in the update to their advisory, that these
 vulnerabilities are now actively being exploited. And
 you better make sure that your systems are being patched. And
 ASUS released an update for its MyASUS tool. And now this
 is often preinstalled software or software that users then
 later install in order to better be able to control
 their PCs. The problem with these tools is often that they
 have far-reaching access to the hardware and software
 running on the system. In this particular case, one of the
 vulnerabilities does consist of hard-coded credentials that
 may give an attacker access to some of that functionality.
 The release here from ASUS is fairly vague on what is
 exactly involved and how it could be exploited. But there
 are often HTTP APIs and such involved. So definitely
 something that you should be paying attention to and
 hopefully patch it rather sooner than later. The
 problem, on the other hand, is that these kind of tools are
 often on home user PCs, not so much on like organization and
 enterprise PCs. And as a result, they often do get
 overlooked when it comes to patching. Well, and this is it
 for today. So thanks for listening. Thanks for
 subscribing. Thanks for liking this podcast. And yeah, please
 leave a good review or at least click on the like or
 five star button in your favorite podcast platform.
 Anything like this is appreciated. Thanks and talk
 to you again tomorrow. Bye.