Podcast Detail

SANS Stormcast Tuesday, September 23rd, 2025: Ivanti EPMM Exploit; GitHub Impersonation

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9624.mp3

Ivanti EPMM Exploit; GitHub Impersonation

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

… more classes

CISA Reports Ivanti EPMM Exploit Sightings
Two different organizations submitted backdoors to CISA, which are believed to have been installed using Ivanti vulnerabilities patched in May.
https://www.cisa.gov/news-events/analysis-reports/ar25-261a

Lastpass Observes Impersonation on GitHub
Lastpass noted a number of companies being impersonated via fake GitHub repositories in order to trick victims to download Mac malware.
https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages

Oracle Scheduler Ransomware
Ransomware has been discovered that gained access to systems via an exposed Oracle Database Scheduler service.
https://labs.yarix.com/2025/09/elons-proxima-black-shadow-related-ransomware-attack-via-oracle-dbs-external-jobs/

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, September 23rd, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Las
 Vegas, Nevada. This episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cybersecurity Leadership.
 CISA, the Cybersecurity and Infrastructure Security
 Agency, has published a report with details regarding two
 organizations that were recently compromised via a
 vulnerability in Ivanti's Endpoint Manager, Mobile, or
 Ivanti-EPMM. The vulnerabilities were exploited
 in order to install a backdoor on these systems. That was
 essentially a persistent mechanism being used by these
 attackers. And the end effect was that the attacker was able
 to execute arbitrary commands on affected systems. There's
 of course always a chance that they hit additional systems
 that didn't report samples to CISA. That's very likely.
 Also, CISA did publish a number of indicators of
 compromise, like URLs, for example, hit in order to take
 advantage of the vulnerability. And also
 additional analysis of the backdoor that was found on
 these systems. The vulnerabilities that were
 exploited here were patched in May. So something you should
 have probably taken care of by now. But if you haven't, well,
 this is probably your very last chance. And if you find
 unpatched systems, absolutely make sure they have not
 already been compromised. LastPass is reporting that
 they have seen a large number of fake GitHub repositories
 that are distributing malware. And now the reason LastPass
 sort of came across them is that this particular wave of
 fake GitHub repositories is also impersonating LastPass,
 in addition to a number of other software vendors. In the
 list, I noticed 1Password, for example. Also, DaVinci Resolve
 was being impersonated. Many of these GitHub repositories
 claim that they have premium or paid versions of that
 product for free to download. And they're in particular
 targeting MacBooks. Now what the user actually ends up with
 when they're installing this particular malware is, well,
 no surprise here really, info stealers that are then
 exfiltrating secrets from affected systems. As with many
 of these campaigns, of course, the name of these GitHub
 repositories is constantly changing as some of them are
 being taken down. So this is just one of those things you
 have to be careful with. And yeah, don't expect legitimate
 software that usually costs money to be available via
 GitHub for free. And cybersecurity company Yarix
 did publish an analysis of a recent intrusion that used a
 little bit unusual entry vector, and that's the Oracle
 Database Server Job Scheduler. Now I say unusual because we
 don't hear much about it. But lately, there have been
 various reports about attacks against this Oracle Database
 Server Job Scheduler increasing. I can't verify
 this increase myself. But it seems likely that if a service
 like this ends up being exposed to the internet, that
 people will exploit it if that's successful. And
 apparently, it has been successful in a couple
 different cases. The Yarix report goes over the various
 commands that are being executed via the scheduler in
 order to then again, get persistent access to the
 exploited system. Also, what particular malware is being
 used here, and what accounts for example, are being created
 to maintain the access to this system. Something like this
 scheduler should probably, again, not be exposed to the
 internet. Well, I don't actually think that an Oracle
 Database should be exposed to the internet directly. Well,
 and this is it for today. Thanks for listening. Thanks
 for liking and subscribing to this podcast. And as always,
 special thanks to anybody recommending this podcast to
 their friends. That's it for today. Thanks and talk to you
 again tomorrow. Bye. Bye. Bye. Bye. Bye. Bye. Bye.