Podcast Detail

SANS Stormcast Monday, December 8th, 2025: AutoIT3 FileInstall; React2Shell Update; Tika Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9728.mp3

previous
Podcast Logo
AutoIT3 FileInstall; React2Shell Update; Tika Vuln
00:00

My Next Class

Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and MicroservicesOrlandoMar 29th - Apr 3rd 2026

… more classes


AutoIT3 Compiled Scripts Dropping Shellcodes
Malicious AutoIT3 scripts are usign the “FileInstall” function to include additional scripts at compile time that are dropped as temporary files during execution.
https://isc.sans.edu/diary/AutoIT3%20Compiled%20Scripts%20Dropping%20Shellcodes/32542

React2Shell Update
The race is on to patch vulnerable systems. Various groups are aggressively scanning the internet with different exploit variants. Some attempt to bypass WAFs.
https://blog.cloudflare.com/5-december-2025-outage/
https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Apache Tika XXE Flaw
Apache’s Tika library patched a XXE flaw.
https://lists.apache.org/thread/s5x3k93nhbkqzztp1olxotoyjpdlps9k


Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and MicroservicesOrlandoMar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-DepthAmsterdamApr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Monday December 8th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in
 Cybersecurity Fundamentals. Xavier lately found a wave of
 different malicious files that all took a similar route in
 order to obfuscate some of the code in AutoIT3. AutoIT3 is an
 automation system. It's quite old going back to the early
 2000s, but it's still being maintained, it's still being
 updated, and it's still frequently being used to
 manage Windows systems and essentially create small
 scripts to automate some tasks on Windows systems. Now,
 AutoIT3 has an interesting function called File Install.
 File Install sounds a little bit like an include function.
 If the script is parsed, then it's just read from the file
 system. Now, what gets interesting is once you're
 running a compiled AutoIT script, and that's kind of one
 of the advantages of AutoIT. It's very easy to create the
 binary executables, so you don't, as a malware author,
 have to first install all of AutoIT on the system, but you
 just run the executable or have the victim run the
 executable. So when it's compiled, then the file is
 included in the binary at compile time, but what Xavier
 also saw is that then a temporary file is being
 created at runtime of the script, which of course then
 makes it easy to extract that file and analyze it, and
 Xavier is going a little bit over the different obfuscation
 techniques being used in this particular example. Let me
 have a quick update here on the React vulnerability or
 React to shell as it has been known under now for the last
 couple of days. There's a wide range of numbers that's being
 quoted out there for as many systems are vulnerable. Of
 course, not every system running React or every system
 running Next.js is vulnerable to this particular issue.
 There was a quote there from Palo Alto that they observed
 30 organizations being actually compromised. Of
 course, we do see in Honeypots and others have seen in
 Honeypots also many, many exploit attempts and as a
 result, if you are vulnerable, you probably have been
 exploited as I mentioned already on Friday. There was
 also a little sort of side effect of this particular
 React vulnerability and that was a brief Cloudflare outage
 on Friday morning. What apparently happened here is
 that Cloudflare tried to push out a configuration change in
 order to better detect this vulnerability. There is also a
 little bit of race going on there trying to find versions
 of the exploit that bypass web application firewall
 signatures. In response to that, Cloudflare made changes
 to their systems that then in the end led to this outage
 which I believe lasted about 20 minutes. So keep patching
 and keep assuming a compromise. Web application
 firewalls will help but like I said, there are active efforts
 to find the exploit versions that will bypass web
 application firewalls. So definitely don't solely rely
 on your web application firewall. It may buy you time
 but it will ultimately probably not prevent
 exploitation.
 I'm not sure how many are familiar with the Apache Tika
 project but it is an important project in that it is often
 used to parse, possibly test file uploads and essentially
 look at files whether or not they are potentially
 malicious. Now the main reason for the Apache Tika library is
 to extract metadata and it can do so for an extremely large
 set of file types including PDFs. But the vulnerability
 addressed now in the Apache Tika core and Apache Tika
 parsers. In particular the PDF module would allow an attacker
 to submit a malicious PDF that will then lead to an XML
 external entity attack. So something that you probably
 want to address in particular if you are using this library
 to look at malicious PDFs or use them to screen PDFs to
 possibly detect any malicious content.
 Well and this is it for today. So thanks for listening,
 thanks for liking, thanks for subscribing and as always
 special thanks for anybody leaving a comment in your
 favorite podcast platform. That's it and talk to you
 again tomorrow. Bye.
 aboutiau