Podcast Detail

SANS Stormcast Tuesday, September 30th, 2025: Apple Patch; PAN Global Protect Scans; SSL.com signed malware

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9634.mp3

Apple Patch; PAN Global Protect Scans; SSL.com signed malware

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025

… more classes

Apple Patches
Apple released patches for iOS, macOS, and visionOS, fixing a single font parsing vulnerability
https://isc.sans.edu/diary/Apple%20Patches%20Single%20Vulnerability%20CVE-2025-43400/32330

Increase in Scans for Palo Alto Global Protect Vulnerability (CVE-2024-3400).
Our honeypots detected an increase in scans for a Palo Alto Global Protect vulnerability.
https://isc.sans.edu/diary/Increase%20in%20Scans%20for%20Palo%20Alto%20Global%20Protect%20Vulnerability%20%28CVE-2024-3400%29/32328

Nimbus Manticore / Charming Kitten Malware update
Checkpoint released a report with details regarding a new Nimbus Manticore exploit kit. The malware in this case uses valid SSL.com-issued certificates.
https://research.checkpoint.com/2025/nimbus-manticore-deploys-new-malware-targeting-europe/

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, September 30th, 2025
 edition of the SANS Internet Storm Centers Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Master's Degree Program in Information
 Security Engineering. Today we got a little bit of surprise
 update from Apple for iOS, iPadOS, and macOS 26. Now,
 it's not a surprise that there is an update shortly after
 there is a major update like this, because that usually
 fixes some of the bugs and such that came out after the
 product was sort of released to the masses. But this time
 it also fixes a single vulnerability. It's a font
 parser vulnerability that can lead to unexpected app
 termination or corrupt process memory. The second part could
 hint to possible code execution, even though that's
 not stated like this in the advisory. There is no
 indication from Apple that this particular vulnerability
 has already been exploited. often Microsoft does release
 sort of these one vulnerability updates for
 actively exploited vulnerabilities. But I think
 here it's just that this was sort of one of the issues that
 came up after 26 was released. And now is being patched as a
 security patch with the functional patches released
 with this update. They also released it for a couple older
 versions of macOS, as well as for the last version before 26
 for iOS and iPadOS. Doesn't affect tvOS. Doesn't affect
 watchOS. So the updates released today for those
 operating systems are just functional. And our honeypots
 are seeing an increase in scans for a little bit older
 Palo Alto Global Protect vulnerability. That's Palo
 Alto's VPN solution. It exploits CVE 2024 3400. This
 vulnerability is very easy to exploit and has already been
 widely exploited. I see this a little bit sort of as a
 cleaning up kind of scan looking if there are any
 unexploited hosts still left out there. Exploitation is
 pretty straightforward. The vulnerability is really just
 well a fairly simple issue where the session ID is
 converted to a file name no matter well what the session
 ID actually is allowing for path traversal and essentially
 creating arbitrary files. The exploits attempt we are seeing
 are following very much what the watchTowr for example and
 others have released sort of as sample exploits. It creates
 a file in the portal images directory. That file is
 actually not directly readable. But the error code
 changes if the file was actually written. So it's
 really more a scan whether or not the system is exploitable.
 And then there would be a second file that I haven't
 seen yet in our honeypots because they're not vulnerable
 at this point. That would then actually contain some kind of
 web shell or such and would be updated and uploaded after
 this system was found to be a vulnerable. And Checkpoint
 released a report with some of the recent malware that they
 have seen from what they're calling Charming Kitten which
 is commonly thought to be associated with Iran. Now one
 of the special features here in addition to sort of using
 fairly realistic looking login pages for various companies
 that they're using malware that actually has valid
 digital signatures with certificates issued by SSL
 .com. There is no certificate compromised involved here.
 It's just that anybody can go to any certificate authority
 and get a developer certificate to sign code.
 There's really not much scrutiny here applied to who
 is getting these certificates. So this is not like a
 vulnerability or a compromise of a certificate authority.
 It's just basically how certificates work that well a
 code that comes signed is not necessarily trustworthy or the
 certificate is not necessarily trustworthy unless you have
 verified who actually sent you this particular piece of
 software. Well and that's it for today. Thanks for
 listening. Thanks for liking and subscribing to this
 podcast and talk to you again tomorrow. Bye. Bye.