Podcast Detail

SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9554.mp3

previous
Podcast Logo
Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;
00:00

Scans for pop3user with guessable password
A particular IP assigned to a network that calls itself “Unmanaged” has been scanning telnet/ssh for a user called “pop3user” with passwords “pop3user” or “123456”. I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled.
https://isc.sans.edu/diary/Legacy%20May%20Kill/32166

Possible Sonicwall SSL VPN 0-Day
Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

PAM Based Linux Backdoor
For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

Podcast Transcript

 Hello and welcome to the Monday, August 4th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Incident Response. Nothing groundbreaking today as far as
 Internet Storm Center data goes. Well, the one little bit
 odd thing we had is scans for SSH and Telnet using the
 username POP3 user and the password. Well, just the
 username or 123456. Just a reminder that, well, yes,
 those old protocols may still be out there. So if you no
 longer use POP, make sure you don't just disable the POP3
 server, but also, well, remove associated accounts if
 possible or make sure they're at least not able to log in.
 Because, well, given that they are probably 10 or so years
 old, who knows what the password is. And it may be
 something stupidly simple. Also interesting here, the
 network where these particular scans originated from, well,
 it's managed by Unmanaged according to WHOIS. That
 appears to be the official name of that particular
 network service provider. So Unmanaged.uk. It's a UK
 provider, at least according to the records. Don't think
 they're doing much in terms of managing abuse and the like.
 These are often also some bulletproof hosting providers.
 Haven't seen this particular one before, but often I don't
 really bother looking at the WHOIS record. So definitely,
 well, like I said, maybe just block that particular network.
 Haven't really seen anything too useful in that network.
 And ArcticWolf published a blog post stating that they
 suspect there may be a serode vulnerability that hasn't
 really been fully described yet that is being used by
 ransomware actor Akira to breach SonicWall SL VPN
 networks. They say they haven't really found any sort
 of definite evidence that this is a serode, but affected
 devices were fully patched. They had their credentials
 rotated and multi-factor authentication enabled. Now,
 to put this a little bit in context, we also had some
 reports recently that the SonicWall instances that were
 fully patched were breached based on credentials that got
 leaked in prior breaches using older vulnerabilities before
 this particular device was patched. This may include
 multi-factor authentication because the seat for the one
 -time password that's being used here for multi-factor
 authentication could also be stolen using these prior
 vulnerabilities. So, really not clear what's going on
 here. ArcticWolf does suggest that you disable the SonicWall
 SSL VPN that appears to be sort of the critical component here
 that this SSL VPN has to be enabled in order for these
 devices to be exploited. So, lots of unknowns here. That's
 always a little bit unsettling, but I would
 definitely recommend that you at least take a very close
 look at these devices. And if possible, disable SSL VPN until
 we hear more from SonicWall directly. And researchers from
 Nextron Systems discovered an interesting new PAM-based
 backdoor for Linux that they're calling Blake. Now,
 PAM is interesting for Linux insofar because pluggable
 authentication modules. It's essentially what controls
 access to the system. So, if you're connecting via SH or
 other tools, the server then often checks with PAM whether
 or not you have access to the system and, well, how you have
 access to the system. So, an attacker able to inject their
 own code into your PAM setup is able to essentially bypass
 authentication. That's pretty much what this backdoor does.
 Ultimately, this idea isn't new. There has plenty been
 written about these PAM-based backdoors. This one apparently
 has been around for quite a while, like a year or so, and
 hasn't really been described yet. And antivirus is still
 not really detecting it. Overall, you really must
 monitor your authentication system, your PAM configuration
 alike. Make sure nothing has been altered here. There are
 some indicators of compromise that are noted in the blog,
 but it ultimately comes down to locking down and monitoring
 your authentication configuration. Well, and
 that's it for today. So, thanks again for listening.
 Thanks for liking and subscribing to this podcast.
 And, as always, special thanks for leaving any positive
 comments and ratings in your favorite podcast platform.
 Thanks and talk to you again tomorrow. Bye.