A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;
August 03, 2025
5:17
0.89 MB ( 3.54 MB less)
Downloads: 0
Scans for pop3user with guessable password
A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled.
https://isc.sans.edu/diary/Legacy%20May%20Kill/32166
Possible Sonicwall SSL VPN 0-Day
Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
PAM Based Linux Backdoor
For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/