SANS Stormcast Wednesday, August 20th, 2025: Increased Elasticsearch Scans; MSFT Patch Issues

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9578.mp3

previous

Increased Elasticsearch Scans; MSFT Patch Issues

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, August 20th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu undergraduate certificate program in Applied
 Cybersecurity. In diaries today, I wrote up some changes
 that we see in scans for Elasticsearch this last couple
 days. There's a particular endpoint, underscore cluster
 slash settings, which we haven't really been seeing hit
 a lot, all of a sudden getting a lot of attention from a
 couple of IP addresses. It's certainly not sort of a scan
 where, you know, everybody's scanning for it. It is a
 little bit more targeted in respect to where the scans are
 coming from. There has been lately, last couple days, a
 lot of talk about a possible Elasticsearch EDR 0-Day. I
 don't think this is directly related. Could be possibly
 people getting interested in Elasticsearch, trying to build
 possible target lists. Elastic has also disputed some of the
 findings in this blog post talking about the particular
 0-Day. So I definitely wouldn't really take that
 0-Day claim to serious here in this case. Also, what they
 really claimed was somewhat more limited. Anyway, in my
 opinion, pay attention to Elasticsearch. Make sure not
 directly exposing it to the world. That's probably sort of
 my best advice right now that I can give you. Yes, a lot of
 people do like to expose Elasticsearch, in particular
 for some single page applications where JavaScripts
 have been used to directly access Elasticsearch.
 Personally, I'm not a big fan of that. I'm sort of a little
 bit old-fashioned, as I state in the diary, that I really
 don't think you should sort of expose your back-end databases
 to the user, in particular with some of the constraints
 that you have with Elastic and similar databases when it
 comes to access control and authentication. Well, it's
 about a week after Patch Tuesday, so good opportunity
 to look a little bit back and see what went wrong this time.
 Microsoft always publishes its list of issues that they sort
 of discovered after the patch was released. Nothing really
 sort of what I consider major here. There was one particular
 problem with installing the updates from WSUS, and well,
 this particular case, the update just failed. Also,
 similar issue with shared drives. Microsoft has fixed
 this particular issue, so that shouldn't really be a problem
 anymore. However, there was sort of a little bit of a
 major problem here, depending on, well, what SSD you are
 running. SSDs that are using a chipset from Phison, and I
 believe they distinguished themselves by not using
 actually SD RAM for cache for the SSD drive. They're used in
 a variety of different manufacturers' drives. If
 you're transferring more than 50 gigabytes or a very large
 file, the drive may disappear. Now, typically, you know, you
 reboot, the drive comes back, but that apparently doesn't
 always fix the problem here. So it may lead to a more
 permanent data corruption. As far as I've seen, there is no
 real fix for this. I heard that Kingston did release a
 firmware update for its drives, and Seagate, I've seen
 in some forum, also releasing an update. But at least for
 Kingston, on their update page, it looks like everything
 they had there was older. If you're running into this
 issue, that's probably your best bet. Look at your SSD
 manufacturer and see if they came out with updated
 firmware. And other than that, a reboot is probably the
 quickest sort of thing you can do to try to recover. And
 hopefully it will work for you. Again, you need to
 transmit a file with 50 gigabytes in order to trigger
 this issue, which is not a very common occurrence. And
 for all the SAP users out here, well, it's a time to
 verify that you have the most recent patches applied. On
 Friday, VX Underground did release an exploit that
 chained two recent vulnerabilities to essentially
 lead to a complete system compromise. Now, one of these
 vulnerabilities already had a CVSS score of 10. I believe
 this was just arbitrary file upload vulnerability, but they
 chained it with a deserialization. And then you
 can also use a vulnerability in order to execute arbitrary
 code. The exploit has been around, has been used for a
 while. It's now public. Before that was only used sort of in
 more targeted attacks. So definitely make sure your
 system is up to date and consider any unpatched,
 exposed system as compromised. And definitely double, triple
 and whatever you can do, check, make sure that there is
 not already an exploit running on those systems or some
 backdoor. Because like I said, the exploit has been used for
 a while. It has just now been made public. Well, that is it
 for today. So thanks for listening. And thanks for
 subscribing, for liking, for leaving good comments and talk
 to you again tomorrow. Bye. . . . . Thank you.