Podcast Detail

SANS Stormcast Tuesday, August 19th, 2025: MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9576.mp3

previous
Podcast Logo
MFA Bombing; Cisco Firewall Management Vuln; F5 Access for Android Vuln;
00:00

Keeping an Eye on MFA Bombing Attacks
Attackers will attempt to use authentication fatigue by “bombing” users with MFA authentication requests. Rob is talking in this diary about how to investigate these attacks in a Microsoft ecosystem.
https://isc.sans.edu/diary/Keeping+an+Eye+on+MFABombing+Attacks/32208

Critical Cisco Secure Firewall Management Center Software RADIUS Remote Code Execution Vulnerability
An OS command injection vulnerability may be abused to gain access to the Cisco Secure Firewall Management Center software.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79

F5 Access for Android vulnerability
An attacker with a network position that allows them to intercept network traffic may be able to read and/or modify data in transit. The attacker would need to intercept vulnerable clients specifically, since other clients would detect the man-in-the-middle (MITM) attack.
https://my.f5.com/manage/s/article/K000152049

Podcast Transcript

 Hello and welcome to the Tuesday, August 19, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Incident Response. In Diaries today we have Rob talk about
 MFA bombing or authentication fatigue. What this is all
 about is if an attacker has access to a username and
 password for your account, they're now having to overcome
 multi-factor authentication. Now in simple cases like your
 standard one-time password, they may just try to guess it,
 which of course should be hard to impossible if that's
 reasonably well done. Or recently many organizations
 have introduced the application-based multi-factor
 authentication where you do get a pop-up that allows you
 to approve a login. Now that has quickly turned out to be
 very susceptible to this kind of authentication fatigue and
 MFA bombing where users, if they were confronted with a
 large number of these pop-ups, well, would just approve it.
 So these days most of the better implementations like
 Microsoft and such usually asks you not just to approve
 the login, but also to echo back a two-digit code that's
 being displayed on the website. Either way, by trying
 to send you enough of these attempts, and then again with
 Microsoft, if you're not using the professional version, but
 just the home user version, it's really just three
 options. So they may again hope that the user will just
 pick an option and click OK and let the attacker in. What
 Rob is talking here a little bit about is of the aftermath
 of an attack like this. How do you actually figure out what
 happened in more detail? Microsoft has a web page that
 you can use to actually retrieve more details about
 your authentication history. It's mysignins.microsoft.com.
 It lists all of the logins in your history with the IP
 address based location. So that gives you a little bit
 more insight as to what may have happened in an attack
 like this. You also had a user comment about how to
 investigate this in Microsoft. There is actually a little
 reporting function that you can use in order to then
 export all the login attempts in a nice JSON format, which
 may work pretty well for sort of an occasional report
 enterprise-wide, figuring out if any users were targeted by
 an attack like this. And in vulnerabilities today, we do
 have a critical vulnerability in the Cisco Secure Firewall
 Management Center software. This particular vulnerability
 allows for an arbitrary code injection into Radius. So
 apparently there's some parameter being sent to Radius
 without being properly sanitized, which then leads to
 the OS command injection. In order to be vulnerable, you
 must have Radius enabled, at least for web authentication
 or SSH authentication or both, of course. Definitely address
 this with patching. I would assume that we probably will
 see an exploit for this relatively soon. If it hasn't
 already been released, the CVSS score for this particular
 vulnerability is a clear 10 out of 10. And F5 released a
 number of updates last week. And I think that this one
 particular vulnerability got a little bit overlooked here.
 And I think this serves some attention. It's a
 vulnerability in F5 access for Android. Basically, their VPN
 product and well, it does not properly validate the TLS
 certificate with that NetHacker is able to establish
 a machine in the middle attack. This kind of
 vulnerability, of course, has to be targeted to a vulnerable
 device. And F5 sort of mentions a little bit as a
 mitigation that well, if your device is not vulnerable, it
 will flag the connection as bad as it should. But still, I
 think this is a vulnerability that you probably should
 address quickly by updating these Android devices running
 this version of F5 access. Well, and that is it for
 today. Thanks, everybody, for liking, for recommending, and
 also for leaving good reviews for this podcast. And talk to
 you again tomorrow. Bye. Bye.