Podcast Detail

SANS Stormcast Thursday, August 7th, 2025: Sextortion Update; Adobe and Trend Micro release emergency patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9560.mp3

previous
Podcast Logo
Sextortion Update; Adobe and Trend Micro release emergency patches
00:00

Do Sextortion Scams Still Work in 2025?
Jan looked at recent sextortion emails to check if any of the crypto addresses in these emails received deposits. Sadly, some did, so these scams still work.
https://isc.sans.edu/diary/Do%20sextortion%20scams%20still%20work%20in%202025%3F/32178

Akira Ransomware Group’s use of Drivers
Guidepoint Security observed the Akira ransomware group using specific legitimate drivers for privilege escalation
https://www.guidepointsecurity.com/blog/gritrep-akira-sonicwall/

Adobe Patches Critical Experience Manager Vulnerability
Adobe released emergency patches for a vulnerability in Adobe Experience Manager after a PoC exploit was made public.
https://slcyber.io/assetnote-security-research-center/struts-devmode-in-2025-critical-pre-auth-vulnerabilities-in-adobe-experience-manager-forms/
https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

Trend Micro Apex One Vulnerability
Trend Micro released an emergency patch for an actively exploited pre-authentication remote code execution vulnerability in the Apex One management console.
https://success.trendmicro.com/en-US/solution/KA-0020652


Podcast Transcript

 Hello and welcome to the Thursday, August 7th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Sextortion scams, well, they
 were a big thing like a few years ago and have died down a
 little bit. But ever so often there's like a flare-up of
 them. Like the last couple weeks I received about a dozen
 or so emails with this cooperation offer subject in
 line. Jan now took a quick look to figure out whether or
 not any of these scams are still successful. He looked at
 a couple dozen different email addresses and the associated
 cryptocurrency addresses that were attached to those emails.
 And, well, sadly a couple of them did get deposits in line
 with what they asked for as part of these extortion scams.
 This is really sort of a little bit of an awareness
 issue. But then also remember that even though the scam
 itself is old, not everybody may actually have received a
 copy. And then depending on current circumstances, people
 may or may not be more vulnerable to this. Just read
 on social media from someone who is actually very cyber
 aware and such. And that they fell for like one of those UPS
 scams lately. And entered their credit card number
 trying to basically have their package redelivered. And they
 were actually just waiting for a package that all depends on
 the circumstances, whether or not someone falls for these.
 These style of measures, of course, are also relatively
 easy to filter automatically. Which is probably why I
 haven't really seen many of them. Because my spam filters
 and such will typically take care of them. And then we got
 a couple additional pieces to the puzzle when it comes to
 the somewhat mysterious SonicWall compromise. That
 were then used by the Akira ransomware group to gain
 access to corporate networks. Another tool they're
 apparently using are, well, the good old bring your own
 vulnerable driver attack. Where they are installing
 drivers that are legitimate on the system. So they're usually
 allowed by EDR and the like. To then escalate privileges
 and disable EDR tools. This is a very common trick. The two
 drivers mentioned here. One of them, sort of a CPU tuning
 driver. Are legitimate, again, legitimate tools. But not very
 commonly used. So the presence of those drivers, in
 particular, sort of in business, corporate, PC
 environments. Should certainly raise a flag and be
 investigated. There is additional, in the case of
 compromise and such, in the guidepoint security block.
 Where they're talking about the parts of the attack that
 they observed. And if you are using Adobe's Experience
 Manager. It's time to patch. And this is sort of an out-of
 -order patch. Of course, we usually get Adobe patches. At
 the same time, Microsoft releases patches. So next
 Tuesday, I guess, we'll get some patches from Adobe. But
 these were released this week for Experience Manager.
 Because there are two vulnerabilities that are
 already, at least, well, if not being exploited. There's a
 proof of concept publicly available. So exploitation is
 probably, at least in a targeted way, already
 happening. Adobe also released an advisory for these
 particular vulnerabilities. And again, patches are
 available. And talking about critical and emergency
 patches. Trend Micro released a patch for its Apex One on
 -premise management console. This patch fixes command
 injection vulnerability. It does allow remote code
 execution pre-authorization. The reason they essentially
 rushed out this patch is that the vulnerability is already
 being exploited in the wild. One word of caution here that
 they call this sort of a fix tool. It's not the final
 patch. It does limit the functionality of your Apex One
 console. You're no longer able to use the remote install
 agent to deploy agents with Trend Micro Apex One after you
 apply this fix. The final patch should be released mid
 -August. So in a week or so, I guess. Well, and that's it for
 today. So thanks for listening. Thanks for liking,
 subscribing. And special thanks for leaving good
 comments for this podcast in your favorite podcast
 platform. And talk to you again tomorrow. Bye.