A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
SANS Stormcast Monday Mar 17th 2025: Analyzing GUID Encoded Shellcode; Node.js SAML Vuln; Tomcat RCE in the Wild; CSS e-mail obfuscation
March 17, 2025
7:03
6.19 MB
Downloads: 0
Static Analysis of GUID Encoded Shellcode
Didier explains how to decode shell code embeded as GUIDs in malware, and how to feed the result to his tool 1768.py which will extract Cobal Strike configuration information from the code.
https://isc.sans.edu/diary/Static%20Analysis%20of%20GUID%20Encoded%20Shellcode/31774
SAMLStorm: Critical Authentication Bypass in xml-crypto and Node.js libraries
xml-crypto, a library use in Node.js applications to decode XML and support SAML, has found to parse comments incorrectly leading to several SAML vulnerabilities.
https://workos.com/blog/samlstorm
One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild
A just made public deserialization vulnerablity in Tomcat is already being exploited. Contributing to the rapid exploit release is the similarity of this vulnerability to other Java deserializtion vulnerabilities.
https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/ CVE-2025-24813
CSS Abuse for Evasion and Tracking
Attackers are using cascading stylesheets to evade detection and enable more stealthy tracking of users
https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/