Podcast Detail

SANS Stormcast Friday, October 24th, 2025: Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9670.mp3

previous
Podcast Logo
Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit
00:00

Infostealer Targeting Android Devices
This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram.
https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414

Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts.
https://sansec.io/research/sessionreaper-exploitation

Patch for BIND and unbound nameservers CVE-2025-40780
The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator.
https://kb.isc.org/docs/cve-2025-40780

WSUS Exploit Released CVE-2025-59287
Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability
https://hawktrace.com/blog/CVE-2025-59287


Podcast Transcript

 Hello and welcome to the Friday, October 24th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 incident response. Info Steelers for Android written
 in Python. Apparently, that's a thing and Xavier came across
 an example. This particular Info Stealer takes advantage
 of Termux, a terminal emulator that is available for Android.
 This terminal emulator also includes utilities that allow
 you to access things like, for example, the address book and
 such from Android. And that then produces a simple to
 parse JSON formatted output. And that is being exfiltrated
 by this Info Stealer. Xavier isn't sure how sort of the
 entire infections change starts here in order to run
 the Info Stealer. The victim essentially already has Termux
 running. It's possible that the attacker uses social
 engineering or essentially just counts on victims that
 already have these tools installed on their Android
 phone. An e-commerce security company, SanSak, has observed
 the active exploitation of a recently patched Adobe
 Commerce vulnerability. Adobe Commerce, also known as
 Magento, is an e-commerce application to always focus on
 when we have Adobe patches because in the past,
 vulnerabilities in this application have repeatedly
 been abused and have been exploited. So no big
 difference here for this vulnerability. It also goes by
 the name of Session Reaper. The problem is that an
 attacker is able to basically create a malicious session and
 then take advantage of a destabilization vulnerability
 that will then execute arbitrary code. Proof of
 concept code has been made available, has been made
 public. So it's no big surprise here that this
 vulnerability is actively being exploited. SanSak also
 states that only about a third, 38% of stores have
 actually applied the patch that was released five weeks
 ago. This particular patch was released out of order as an
 emergency patch. It was not released as part of the patch
 Tuesday update that I usually mention here in the podcast.
 Then we have a vulnerability that just doesn't seem to go
 away and that's DNS spoofing. It comes back like every few
 years, this time in form of a weak random number generator.
 Today, the Internet System Consortium, who is behind the
 name server Bind, as well as the Unbound Project, that's a
 recursive server, you often see being used in firewalls
 and gateways and the like. The problem here is that due to
 the flaw in the pseudorandom number generator used to
 create random numbers to select ports and query IDs, it
 is possible to actually predict both to some extent
 and then, well, conduct spoofing attacks. Not really
 clear how easy it is. Both flaws, Unbound as well as
 Bind, were reported by researchers out of Israel.
 Haven't seen sort of any paper or so yet where they discuss
 the exact nature of the flaw. I hope they give us all some
 time to apply patches if it's really severe. If it's just
 sort of making it more likely to exploit the vulnerability,
 then it may not be such a big deal. Because, well, if it
 takes 4 billion or 40 billion packets or whatever it takes
 with a good random number generator, it probably is
 still not a very likely attack to see exploited. DNSSEC is,
 of course, always a good idea to prevent spoofing, but
 adoption of that is not really sort of at the forefront of
 most enterprises. And then we do have a proof-of-concept
 exploit for a rather nasty Windows Server Update service
 remote code execution vulnerability. This
 vulnerability was patched a week ago, a little more a week
 ago, as part of the October Microsoft Patch Tuesday. The
 vulnerability is rather straightforward to exploit.
 It's one of those deserialization
 vulnerabilities, and it affects the cookie parameter.
 Now, this is not a cookie header. This cookie, this
 authorization cookie, is sent as part of a SOAP payload in
 this particular case. But the effect is the same. It does
 allow object code execution. And with this proof-of-concept
 now exactly explaining how to take advantage of this
 vulnerability, well, you better get your servers
 patched now. Well, and this is it for today. Remember,
 Saturday morning I'll be speaking in Augusta at the B
 -Sites conference. So, hope to see some of you there. And
 that's it for today. Thanks for liking and subscribing to
 this podcast. And talk to you again on Monday. Bye.
 Bye.
 Thank you.