Podcast Detail

SANS Stormcast Friday, December 12th, 2025: Local AI Models; Mystery Chrome 0-Day; SOAPwn Attack

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9736.mp3

previous
Podcast Logo
Local AI Models; Mystery Chrome 0-Day; SOAPwn Attack
00:00

My Next Class

Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and MicroservicesOrlandoMar 29th - Apr 3rd 2026

… more classes


Using AI Gemma 3 Locally with a Single CPU
Installing AI models on modes hardware is possible and can be useful to experiment with these models on premise
https://isc.sans.edu/diary/Using%20AI%20Gemma%203%20Locally%20with%20a%20Single%20CPU%20/32556

“Mystery” Google Chrome 0-Day Vulnerability
Google released an update for Google Chrome fixing a vulnerability that is already being exploited, but has not CVE number assigned to it yet
https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop_10.html


SOAPwn: Pwning NET Framework Applications Through HTTP Client Proxies And WSDL
Watchtwr identified a common vulnerability in SOAP implementations using .Net
https://labs.watchtowr.com/soapwn-pwning-net-framework-applications-through-http-client-proxies-and-wsdl/

Network Monitoring and Threat Detection In-DepthOnline | Central European TimeDec 15th - Dec 20th 2025
Application Security: Securing Web Apps, APIs, and MicroservicesOrlandoMar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-DepthAmsterdamApr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026

Podcast Transcript

 Hello and welcome to the Friday December 12th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ulrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. AI, of course, is the big issue
 that everybody is worried about and playing with these
 days. And well, as a first touch point, you usually just
 use one of the public models like ChatGPT and such to get a
 little bit experience with what these tools can do. But
 it can be quite intimidating to go a step further and try
 to run some of these models locally and play sort of in a
 more intimate atmosphere with these particular models. Well,
 Guy now wrote up a quick diary showing how to install Gamma 3
 on a reasonably small home computer. In this particular
 case, he used one of the new Horizon chips and one of those
 mini computers that have become quite popular these
 days for home labs and shows a couple of the pitfalls here,
 some of the problems that he ran into trying to make this
 all run in the Proxmox virtualization environment and
 how to configure it. And then in the end, also how to use
 these tools. Certainly an interesting experiment and
 something that gives you a little bit more insight in how
 these tools sort of work on the backend. And then we do
 have an update for Chrome with yet another already exploited
 vulnerability being addressed here. And this vulnerability
 was, well, by some described a little bit sort of as a
 mystery vulnerability. And it's certainly a little bit an
 odd one in that there is no CVE number for this
 vulnerability. There's also absolutely no detail what it's
 all about. Now, Google usually at least sort of has these one
 liners that describe a little bit something about the
 vulnerability. But here it just says that's under
 coordination. What I believe is happening here, and that's
 where the coordination part comes from, that this
 particular vulnerability likely affects not just Google
 Chrome, there are likely either other browsers, maybe
 it's one of the underlying libraries that's vulnerable
 here that is being exploited. So what's possibly happening
 is that they first need to coordinate with other vendors
 who are also affected by this issue. before they're going to
 release any additional details and before a CVE number will
 be signed. Also doesn't state who actually reported this
 vulnerability. So will be interesting. Maybe next week
 we'll learn more about this vulnerability. Until then,
 just keep Chrome updated. Well, this week we already had
 a couple SOAP related stories. We have now one more from
 watchTowr Labs and that's SOAP Pwn or SOAP Pwn, however
 you pronounce this, which is I think sort of a must read
 article for anybody who is developing in dotnet. Also pen
 testers probably want to take a close look at this. The
 problem here is a fundamental weakness in how dotnet deals
 with HTTP requests or URL requests I should say and how
 this may actually lead in some cases to arbitrary file write
 or even to remote code execution vulnerabilities. In
 particular as SOAP is being implemented. So SOAP is the
 enterprise API language. And one of the problems here is
 that if an attacker can control the URL that a user is
 connecting to, if this URL starts with file So it's
 actually referencing a file, not like an HTTP web page,
 well, dotnet has different classes that it uses for to
 deal with these requests, and they may be cast into one each
 other, which then results in the user actually writing
 files on the server instead of well just requesting or
 posting some data from an HTTP API, which is interesting. And
 in some cases that watchtower shows here, like the like for
 example, they have a proof of concept exploit for this
 vulnerability in Barracuda system. Well, it is
 exploitable. The tricky part here is it really depends on
 how a developer implemented these particular API's.
 Microsoft is not thinking about fixing this problem.
 They're saying it's really more a problem in how users
 are using their tools. So not so much a problem with how
 these tools are working. watchTowr here is disagreeing
 with this a little bit, but still, you know, as a internet
 developer, you definitely should be aware of this and
 should take a look at what watchtower is demonstrating.
 And then we got a report from CISA summarizing some recent
 activity by pro-Russian hacktivists. Now, hacktivists,
 of course, are not necessarily state-sponsored actors, but
 more individuals who do it out of, well, the good or bad of
 their own heart. What I sort of thought is interesting
 about this report is it's labeled as being about global
 critical infrastructure. And when we're talking global
 critical infrastructure, we are thinking about, you know,
 power systems and things like this. That's part of the
 report, but it also covers attacks against some smaller
 businesses, basically factories and such that may
 not necessarily see themselves as sort of operating big OT
 networks and being part of critical infrastructure, but
 have many of the same vulnerabilities, maybe more so
 because of the less mature IT and security organization that
 you often find in these smaller companies. So
 definitely worthwhile looking at this particular if you are
 working for any kind of manufacturing company that,
 for example, does have sensors and the like that are remotely
 accessible and could potentially affect your
 production line, for example. Well, and this is it for
 today. So thanks for listening. Thanks for liking,
 subscribing. And I saw a couple of you did leave
 comments in Apple's podcast app. So thanks a lot for that
 and talk to you again on Monday. Bye.