Podcast Detail

SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9630.mp3

previous
Podcast Logo
Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details
00:00

Webshells Hiding in .well-known Places
Our honeypots registered an increase in scans for URLs in the .well-known directory, which appears to be looking for webshells.
https://isc.sans.edu/diary/Webshells%20Hiding%20in%20.well-known%20Places/32320

Cisco Patches Critical Exploited Vulnerabilities
Cisco released updates addressing already-exploited vulnerabilities in the VPN web server for the ASA and FTD appliances.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW

XCSSET Evolves Again
Microsoft detected a new XCSSET variant, an infostealer infecting X-Code projects.
https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-again-analyzing-the-latest-updates-to-xcssets-inventory/

Exploitation of Fortra GoAnywhere MFT CVE-2025-10035
watchTowr analyzed the latest GoAnywhere MFT vulnerability and exploits used against it.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/

Podcast Transcript

 Hello and welcome to the Friday, September 26, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Las
 Vegas, Nevada. And this episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. Our honeypots
 registered an increase in scans for files in the .well
 -known directory and the URLs look like they're probably
 looking for web shells. The .well-known directory is of
 course well in Unix hidden with the dot at the beginning
 of the name of the directory, but it is commonly used for
 information files like security.txt or also to
 confirm the ownership of a website with the ACMI protocol
 if you're using the web-based authentication for this
 protocol to obtain certificates. Probably best to
 keep an eye on this directory. If anybody finds an
 interesting web shell there, would love to take a quick
 look at what this web shell does, but not necessarily
 expecting anything super sophisticated or different
 here. Well, and then we got more news from Cisco.
 Yesterday I mentioned the already exploited SNMP
 vulnerability. It wasn't really all that exciting
 because in order to exploit that vulnerability, you must
 already have admin credentials. But we now have
 two additional vulnerabilities that apparently are also
 already being exploited and some say the exploitation goes
 about one year back. The first vulnerability is really
 critical. It does allow for arbitrary code execution on
 the ASA, that's the adaptive security blinds, as well as on
 FTD, the firewall threat defense. And in order to
 exploit this vulnerability, an attacker just needs normal VPN
 credentials as any user. So that's something that's likely
 much easier to obtain. And then via the VPN website,
 they're then able to compromise the device and
 execute code as root. So this is not exactly like a 10.0
 vulnerability in the CSS score, but certainly something
 that doesn't require a lot of prerequisites, just the VPN
 access and any credentials. The second vulnerability
 vulnerability isn't rated as medium and is well only an
 authentication bypass, but does allow an attacker to
 access your URL endpoints that shouldn't really be accessible
 without authentication. Patches have been made
 available, but given that the vulnerability has already been
 exploited now for a while, it's advisable that you double
 check that your device has not already been compromised.
 Cisco, in addition to these advisories, also released a
 write-up on the attacks that they have seen. So has SISA.
 The attacks apparently have so far been more targeted and
 limited, so not widespread. And so far, there's a good
 chance that you haven't been hit yet, but we all know that
 once things like this get public and are being patched,
 we may see more exploitation pretty soon. And Microsoft
 published an analysis of the latest variations of what
 they're calling the XCS set malware. This is an
 InfoStealer targeting developers using Xcode, so Mac
 developers. One of the tricky things about this particular
 InfoStealer is that it does infect projects the developer
 is working on, and then also spreads by other developers
 importing these projects into Xcode. So this basically
 targets, again, developers. Also appears to be targeting
 mostly cryptocurrency users. One of the more prominent
 payloads in this malware does watch the clipboard, and if it
 does detect any crypto coin -related information, it will
 exfiltrate it. Just a side note here, there's also
 ongoing news about various phishing attacks against PiPi
 and other developer groups. So be aware, developers are still
 a big target. And watchTowr analyzed the latest Forda Go
 Anywhere MFT vulnerability. I've mentioned it in a prior
 podcast. They also took a look at some of the exploits that
 are being used against this vulnerability in the wild, and
 list a number of indicators of compromise. So if you're using
 this product, this is very helpful in order to make sure
 that you haven't already been a victim as you are patching
 this vulnerability. Well, and this is it for today. So
 thanks again for listening. Thanks for liking and
 recommending this podcast. As always, also special thanks
 for leaving good comments in the podcast.
 I'll see you next time. Bye.
 Bye.