Podcast Detail

SANS Stormcast Friday, October 31st, 2025: Bug Bounty Headers; Exchange hardening; MOVEIt vulnerability

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9680.mp3

previous
Podcast Logo
Bug Bounty Headers; Exchange hardening; MOVEIt vulnerability
00:00

My Next Class

Application Security: Securing Web Apps, APIs, and MicroservicesDallasDec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025

… more classes


X-Request-Purpose: Identifying "research" and bug bounty related scans?
Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans
https://isc.sans.edu/diary/X-Request-Purpose%3A%20Identifying%20%22research%22%20and%20bug%20bounty%20related%20scans%3F/32436

Proton Breach Observatory
Proton opened up its breach observatory. This website will collect information about breaches affecting companies that have not yet made the breach public.
https://proton.me/blog/introducing-breach-observatory

Microsoft Exchange Server Security Best Practices
A new document published by a collaboration of national cyber security agencies summarizes steps that should be taken to harden Exchange Server.
https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d


MOVEit Vulnerability
Progress published an advisory for its file transfer program “MOVEIt”. This software has had heavily exploited vulnerabilities in the past.
https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025

Application Security: Securing Web Apps, APIs, and MicroservicesDallasDec 1st - Dec 6th 2025
Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and MicroservicesOrlandoMar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-DepthAmsterdamApr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026

Podcast Transcript

 Hello and welcome to the Friday, October 31st, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 cybersecurity leadership. This week I noticed some new HTTP
 request headers in our honeypot logs and these HTTP
 request headers are related to bug bounty programs. There is
 an xrequest purpose header, the value is just research for
 this header, and then also specific headers for specific
 bug bounty programs like HackerOne and BugCrowd. There
 are a couple of bug bounties that I was able to find that
 actually ask researchers to use these specific headers. As
 always, when you talk request headers like this, nothing is
 guaranteed. It's very easy for someone, of course, to
 impersonate a researcher using those headers. And then, of
 course, there is no guarantee that researchers will actually
 use these headers as they're conducting scans for their bug
 bounty research. I assume that companies participating in
 these bug bounty programs try to use these headers to maybe
 figure out how many of the requests that they're seeing
 are related to bug bounties, and at least to be able to
 notify researchers that are well behaved, that are
 actually using the correct headers in case something is
 going wrong here, in case they're like a denial of
 service or something like this, so they can reach out to
 the researcher and ask them maybe to stop their scans or
 throttle them as necessary. If you're interested in curiosity
 here, I think the value of it is overall limited and
 certainly nothing that should be used to filter or not
 filter certain requests. And Proton, the company behind the
 Proton email service as well as the Proton VPN, has now
 come up with an interesting new project. That's the Data
 Breach Observatory. The goal of this Data Breach
 Observatory is to shed a light on breaches that may not have
 been reported to public or where the breached entity is
 actually even unaware themselves that they got
 breached. They have the initial website up here, and
 so far they have about 800 breaches listed. They say the
 top businesses that they're seeing exposed here are retail
 in particular, but then also small, medium-sized
 businesses, which I believe these are common targets. And
 of course, particular small, medium-sized businesses may
 either not have the capability to actually detect the attack
 and the breach, or they may feel like they can sort of
 slip underneath the radar. In the past, sadly, I've often
 observed that actually the best thing a company can do is
 not to talk about the breach, because then the news won't
 pick up on it, typically in particular for smaller
 companies like this. And the breach will overall go
 unnoticed without too much impact on the company itself.
 So interesting approach here. They're claiming they're
 looking at various dark web sources in order to compile
 that data. We'll have to see how it all works out, and I
 hope they, at the very least, are notifying and contacting
 any organizations that they find breached here. And
 government cybersecurity agencies from the US, Canada,
 and Australia have collaborated on a pretty neat
 document. Microsoft Exchange Server Security Best
 Practices. The document is not very much in-depth. It sort of
 just covers different topics that you should consider as
 you are configuring and maintaining Exchange. But the
 real value I find in this document is the long list of
 references that then leads you to additional guidelines on
 how to accomplish some of the suggested things, like
 configuring authentication correctly, enabling Kerberos,
 and doing all the other good things with a Microsoft
 Exchange server. It has been a huge target in the past. Of
 course, one of the items on the list here is also make
 sure that you're not using an end-of-life version of
 Microsoft Exchange, which, of course, we just had the issue
 where 2019 and such did become end-of-life with the last
 Microsoft patch Tuesday. And then we have a new patch for
 users of MoveIt Transfer. The reason I mentioned it today is
 that this is probably something that you may want to
 get a handle on before the weekend. MoveIt has been the
 target of compromise in the past and has been used to
 compromise networks for ransomware and the like. There
 is very little detail about this vulnerability. It just
 says of an uncontrolled resource consumption
 vulnerability. It does imply that it's possible to execute
 arbitrary code with this vulnerability. It's likely
 sort of one of those webshell -style vulnerabilities where
 you can upload a webshell and execute it. Hard to tell
 whether or not it does require authentication or not. They
 did assign it a CVSS score of 8.2, which is high. It's not
 critical. Still something that you probably want to get ahead
 of and follow here progress's guidance in how to address
 this vulnerability. Well, and that's it for today. So thanks
 again for listening. Thanks for liking and subscribing to
 this podcast. And as always, talk to you again on Monday.
 Bye. How long have you been using the organization? Thanks
 for following the presentation. America Global
 various nosemkilometre你们 But you Thank you.