SANS Stormcast Monday, December 1st, 2025: More ClickFix; Teams Guest Access; Geoserver XXE Vulnerablity

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9718.mp3

previous

More ClickFix; Teams Guest Access; Geoserver XXE Vulnerablity

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, December 1, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Dallas,
 Texas. This episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cybersecurity Leadership.
 Well, first of all, it looks like this long weekend, at
 least here in the U.S., was pretty eventless and no
 emergencies here to report about. Nothing that you need
 to do right now in order to sort of catch up for whatever
 threat you may have missed this long weekend. But we do
 have a couple sort of smaller things that are certainly
 worth covering. First one is a new development when it comes
 to ClickFix attacks. ClickFix attacks do trick victims
 into copy-pasting commands into a command prompt to then
 execute malicious code. The latest version was here
 identified by Acronis. And what they observed is
 attackers using fake blue screens of death. And with
 that, again, tricking users into copy-pasting commands
 into a command prompt. The ultimate idea is exactly the
 same as ClickFix, but just the lure is a little bit
 different with the blue screen of death. Maybe a little bit
 more plausible at this point, given that we hopefully have
 taught users about ClickFix or they have experienced it
 firsthand, while they may not have seen this with a blue
 screen. Apparently the websites with displaying the
 blue screens are being advertised via Google Ads and
 the blue screen doesn't show up right away, but only after
 the user interacts a little bit with the website. Maybe
 also making this a little bit more plausible, but also
 making it more difficult to detect and eliminate these
 malicious websites. The blog by Ontinu does outline an
 interesting trick that attackers are apparently
 playing with Microsoft Teams. Microsoft Teams, if you're
 enabling it in an enterprise context, you have a rich set
 of protection features that you are able to enable if you
 are trying to filter content. Now, the problem here that
 attackers are taking advantage of is that the users who are
 used to this kind of enterprise set up are
 expecting this protection even if they're joining someone
 else's Teams space. Teams allows guests to join another
 team space and what's happening here is that the
 attacker is essentially setting up their own Teams
 environment without any of these protections and then
 inviting the victim to join their Teams environment and
 then exposing them to these malicious links and similar
 threats. Again, social engineering, a little bit like
 what we just covered with ClickFix where users really
 don't quite understand the environment that they are
 connecting to. And then there's one vulnerability that
 I want to talk about today and that's an external XML entity
 vulnerability in GeoServer. Two reasons why I want to
 cover this. First of all, GeoServer is one of those
 tools we do see scans for and have seen scans for us for a
 couple of years now. So it's definitely targeted by
 attackers and shouldn't really be exposed in the first place.
 It's one of those complex systems to deal with
 geographic information systems, coordinates and the
 like. And yes, it has had multiple vulnerabilities in
 the past, is often not configured correctly also.
 That's not our issue with that. So please don't expose
 it if you can help it. And then the second reason I want
 to cover it is external XML entities is an often
 overlooked issue that keeps popping up in particular in
 these sort of complex data processing systems that often
 deal with XML. What it really refers to is that NetHacker
 may include essentially commands in an XML document
 that redefine entities as content of files or remote
 URLs. So essentially your parser is now going out and
 hitting that URL, which can then also lead to server side
 request forgery, or they can read an internal file, which
 basically sort of an internal file inclusion vulnerability.
 So definitely don't overlook these XML vulnerabilities. A
 lot of them can be controlled by adjusting your parser
 correctly. And hopefully in this particular case, well, in
 geo server released a patch for it. Well, and this is it
 for today. So thanks for listening. If you are here in
 Dallas, I'll be giving a talk, I think on Wednesday about the
 internet storm center. And I also have one more class
 actually this year that I'll be teaching. It'll be online
 only, but on the European time zone. And it's our intrusion
 detection in depth, SEC 503 class. That's it for today.
 Thanks for listening and talk to you again tomorrow. Bye.