INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Microsoft April 2024 Patch Tuesday
Published: 2025-04-08
Last Updated: 2025-04-08 18:40:41 UTC
by Renato Marinho (Version: 1)
This month, Microsoft has released patches addressing a total of 125 vulnerabilities. Among these, 11 are classified as critical, highlighting the potential for significant impact if exploited. Notably, one vulnerability is currently being exploited in the wild, underscoring the importance of timely updates. While no vulnerabilities were disclosed prior to this patch release, the comprehensive updates aim to fortify systems against a range of threats, including remote code execution and privilege escalation. Users are encouraged to apply these patches promptly to enhance their security posture.
Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2025-29824)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-29824
This is a zero-day vulnerability with a severity rating of Important and a CVSS score of 7.8, which is currently being exploited in the wild but has not been publicly disclosed. This vulnerability allows an attacker to elevate their privileges to SYSTEM level, posing a significant risk to affected systems. It specifically impacts Windows 10 for both x64-based and 32-bit systems. However, security updates to address this vulnerability are not yet available, and Microsoft plans to release them as soon as possible. Customers will be notified through a revision to the CVE information once the updates are ready.
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2025-26663)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-26663
This critical vulnerability, CVE-2025-26663, has not been exploited in the wild nor disclosed publicly, making it a non-zero-day threat. It carries a CVSS score of 8.1, indicating a significant risk due to its potential impact of remote code execution. The vulnerability arises from a race condition that an unauthenticated attacker could exploit by sending specially crafted requests to a vulnerable LDAP server, leading to a use-after-free scenario. Although the attack complexity is high, requiring the attacker to win a race condition, the severity of the potential impact underscores the critical nature of this vulnerability. Currently, security updates for Windows 10 systems are not immediately available, but they will be released as soon as possible, with notifications provided via a revision to the CVE information.
Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability (CVE-2025-26670)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-26670
This critical vulnerability, identified as CVE-2025-26670, has not been exploited in the wild nor disclosed publicly. It carries a CVSS score of 8.1, indicating a significant risk of remote code execution. The vulnerability arises from a race condition that can be exploited by an unauthenticated attacker sending specially crafted requests to a vulnerable LDAP server, potentially resulting in a use-after-free condition. This could be leveraged to execute arbitrary code remotely. Despite the high attack complexity (AC:H), the potential impact is severe. Currently, security updates for Windows 10 systems are not available, but Microsoft plans to release them as soon as possible, with notifications provided through a revision to the CVE information.
Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2025-27480)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-27480
This is a critical vulnerability with a CVSS score of 8.1, which has not been exploited in the wild nor publicly disclosed as a zero-day. This vulnerability allows for remote code execution by an attacker who connects to a system with the Remote Desktop Gateway role. The attack involves triggering a race condition to create a use-after-free scenario, which can then be leveraged to execute arbitrary code. Despite its critical severity, the attack complexity is high, requiring the attacker to successfully win a race condition to exploit the vulnerability.
Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2025-27482)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-27482
This is a critical vulnerability with a CVSS score of 8.1, which has not been exploited in the wild nor disclosed publicly, making it a potential zero-day threat. This vulnerability allows for remote code execution, posing a significant risk to systems with the Remote Desktop Gateway role. Exploitation requires an attacker to successfully navigate a high-complexity attack scenario, specifically by winning a race condition that leads to a use-after-free situation, ultimately enabling the execution of arbitrary code. Organizations are advised to implement robust security measures and monitor for any suspicious activities to mitigate potential risks associated with this vulnerability.
This summary highlights key vulnerabilities from Microsoft's monthly updates, focusing on those posing significant risks. The Windows Common Log File System Driver vulnerability (CVE-2025-29824) is a zero-day threat actively exploited, allowing attackers to gain SYSTEM-level privileges. Users should prioritize monitoring and applying updates once available. Other critical vulnerabilities, such as those affecting LDAP and Remote Desktop Services, involve complex attack scenarios but pose severe risks due to potential remote code execution. Microsoft Office and Excel vulnerabilities also present significant threats, often requiring user interaction through social engineering tactics. Users are advised to remain vigilant and apply security updates promptly upon release to mitigate these risks ...
Read the full entry: https://isc.sans.edu/diary/Microsoft+April+2024+Patch+Tuesday/31838/
New SSH Username Report
Published: 2025-04-06
Last Updated: 2025-04-06 19:52:07 UTC
by Johannes Ullrich (Version: 1)
As you may have noticed by some of my recent diaries, I have spent a bit more time on ssh and telnet credentials. These credentials are collected by Cowrie, the amazing full features SSH and Telnet honeypot maintained by Michel Oosterhof. Cowrie is installed as a component if you install our DShield honeypot.
One very simple way to find "interesting" things is to look at what is new. To allow you to explore yourself, I added an "SSH/Telnet Username Summary". The report lists all usernames we observed in the last 30 days, and if we saw them at least five times. These numbers may, of course, change. There is also a simple JSON formatted report you may download to play with: https://isc.sans.edu/sshallusernames.json
So let's take a quick look at "what's new":
ysoperator: Looks familiar, but can't remember where I saw it. Google is of little help here.
uery: Maybe a typo, and should be "query"?
tamatiek: Appears to be a Japanese name?
shughes: I guess this is for "S Hughes". Many systems use the first initial and last name as username. There are a few more like that that I will skip here
dbmasteruser: Something a bit more interesting. Likely supposed to refer to a database administrator account.
And there is one I think was funny: /usr/share/wordlists/logins.txt . Yes, the filename and path. I suspect the user didn't know yet how to run the brute force script and passed the filename instead of the username. There are a few I consider typos: "atascientist" (I suspect "datascientist"), "ackupadmin" (backupadmin?). Could also be a tool that swallows the first letter of the username if the username is not provided correctly.
I am working on a similar list of passwords. But there are a lot more different passwords than usernames making that a bit more challenging. Let me know if there are any additional details I should add.
Lesson: Attackers make mistakes too, and there are no real "safe" usernames ...
Read the full entry: https://isc.sans.edu/diary/New+SSH+Username+Report/31830/
Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive [Guest Diary]
Published: 2025-04-02
Last Updated: 2025-04-03 00:51:32 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Gregory Weber, an ISC intern as part of the SANS.edu BACS program]
For the last 5 months, as part of my BACS internship with SANS, I have monitored two deployments of a DShield Sensor, sometimes referred to as a honeypot. The DShield sensor offers multiple attack surfaces including Telnet and SSH ports but one of its features is a public-facing web server. One of my deployments sits on a cloud instance and this web server sees a large volume of traffic, making it ideal for research on web server attacks.
Many of the web "attacks" I have observed are rapid-fire URL submissions to the WordPress server meant to see if the server will reveal any of its "secrets" like encryption key files, user accounts, or back end logic. Moreover, the submissions are automated and often what appear to be "just passing by and saw you were a web server so thought I would try" type opportunity checks (like a crook pulling door handles in a parking lot to see if anything happens to open for a quick snag). As a community, information security professionals are probably more concerned with targeted attacks to their organizations but crimes of opportunity can be just as damaging -particularly where they reveal the existence of weaknesses to an attack group that may otherwise never bother with that specific organization.
While tending to my daily analysis, I have also been progressing through SEC595 "Applied Data Science and AI/Machine Learning for Cybersecurity Professionals". I enjoy the challenges of coding and I am fascinated with data driven decisions; particularly where carefully thought-out data science logic can help us separate out those things which our human problem-solving skills and expertise need to focus on versus the thousands of things they do not.
As such, I decided to experiment with applying frequency analysis to the Dshield data I had been collecting just to see whether I could write a simple classification program. I chose to focus on the web honeypot URL data to write a program that parses a URL and accurately determines if the URL represents an intrusive type request or what I call a legitimate request. The experiment differs from many other categorical URL classification programs in that those classifiers are often focused on user initiated connections to external sites. In other words, those programs attempt to determine if a URL a user is clicking/typing is malicious based on statistical metrics such as "known bad" IP address lists or name lists. This program is focused on those URLs that may get submitted to a public facing web server in attempts to scope the server's logic, perform command injection, perform server side request forgeries, or retrieve restricted files from a database or file directory that trusts the server ...
Read the full entry: https://isc.sans.edu/diary/Exploring+Statistical+Measures+to+Predict+URLs+as+Legitimate+or+Intrusive+Guest+Diary/31822/