SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
VOLUME 25ISSUE 16
AtRisk: The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
It's 2025... so why are obviously malicious advertising URLs still going strong?
Published: 2025-04-21
Last Updated: 2025-04-21 08:48:44 UTC
by Jan Kopriva (Version: 1)
While the old adage stating that 'the human factor is the weakest link in the cyber security chain' will undoubtedly stay relevant in the near (and possibly far) future, the truth is that the tech industry could Ð and should Ð help alleviate the problem significantly more than it does today.
One clear example of this was provided by a phishing e-mail that was delivered to our mailbox here at the Internet Storm Center this morning.
For anyone aware of modern phishing techniques, the fact that the message was fraudulent would have been obvious at first glance, as you may see from the following pictureÉ In fact, it even used a 'standard' layout that has been commonly used in phishing campaigns for some time now ...
Read the full entry: https://isc.sans.edu/diary/Its+2025+so+why+are+obviously+malicious+advertising+URLs+still+going+strong/31880/
RedTail, Remnux and Malware Management [Guest Diary]
Published: 2025-04-16
Last Updated: 2025-04-17 01:05:49 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Jacob Claycamp, an ISC intern as part of the SANS.edu BACS program]
Introduction
When I first saw malware being uploaded to my honeypot, I was lacking the requisite experience to reverse engineer it, and to understand what was happening with the code. Even though I could use any text editor to examine the associated scripts that were being uploaded with RedTail malware, I couldn't see what was happening with the RedTail malware itself. So, I decided to create a how-to on setting up a malware analysis program.
The malware analysis platform I chose to use, is Remnux which is a linux distribution, packaged with a variety of analysis tools originally created by Lenny Zeltser, a SANS instructor. My original intent for the Remnux environment was to set it up inside a docker, so it was completely isolated from my computer. This way if I accidentally detonated a malware sample, I could easily just wipe away the docker. I can also wipe away the docker, after I've finished analyzing a sample, and start with a fresh install each time I begin a new investigation.
For this how-to, I'll also make use of kasm workspaces which is a docker container streaming platform, and I'll deploy it inside of a free tier of AWS EC2 instance, this approach will make it easy to access your workspace, from a web browser.
Read the full entry: https://isc.sans.edu/diary/RedTail+Remnux+and+Malware+Management+Guest+Diary/31868/
Internet Storm Center Entries
Honeypot Iptables Maintenance and DShield-SIEM Logging (2025.04.23) https://isc.sans.edu/diary/Honeypot+Iptables+Maintenance+and+DShieldSIEM+Logging/31876/
xorsearch.py: "Ad Hoc YARA Rules" (2025.04.22) https://isc.sans.edu/diary/xorsearchpy+Ad+Hoc+YARA+Rules/31856/
Wireshark 4.4.6 Released (2025.04.20) https://isc.sans.edu/diary/Wireshark+446+Released/31872/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-31200 - tvOS, visionOS, iOS, iPadOS, and macOS Sequoia are vulnerable to memory corruption from processing a maliciously crafted media file, potentially leading to code execution, with reports suggesting this vulnerability may have been exploited in sophisticated attacks against certain targeted individuals on iOS.
CVE-2025-31200
tvOS, visionOS, iOS, iPadOS, and macOS Sequoia are vulnerable to memory corruption from processing a maliciously crafted media file, potentially leading to code execution, with reports suggesting this vulnerability may have been exploited in sophisticated attacks against certain targeted individuals on iOS.
Product: Apple macOS
CVSS Score: 7.5
** KEV since 2025-04-17 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31200
NVD References:
And all the Rest
CVE-2025-31201
tvOS, visionOS, iOS, iPadOS, and macOS Sequoia versions 18.4.1 and 15.4.1 are vulnerable to an attack that may allow an attacker to bypass Pointer Authentication, potentially exploited in highly sophisticated attacks on specific individuals.
Product: Apple macOS
CVSS Score: 6.8
** KEV since 2025-04-17 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31201
NVD References:
- https://support.apple.com/en-us/122282
- https://support.apple.com/en-us/122400
- https://support.apple.com/en-us/122401
- https://support.apple.com/en-us/122402
CVE-2025-24797
Meshtastic is vulnerable to an attacker-controlled buffer overflow via invalid protobuf data in mesh packets, potentially leading to remote code execution without authentication or user interaction, fixed in version 2.6.2.
Product: Meshtastic
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24797
NVD References: https://github.com/meshtastic/firmware/security/advisories/GHSA-33hw-xhfh-944r
CVE-2025-24797
Meshtastic is vulnerable to an attacker-controlled buffer overflow via invalid protobuf data in mesh packets, potentially leading to remote code execution without authentication or user interaction, fixed in version 2.6.2.
Product: Meshtastic
CVSS Score: 9.4
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24797
NVD References:
CVE-2025-28137
The TOTOLINK A810R V4.1.2cu.5182_B20201026 router is vulnerable to a remote command execution flaw in the setNoticeCfg function.
Product: TOTOLINK A810R
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28137
NVD References:
Sponsors
Short description of the section to provide users context and value of the content being featured in this carousel.
Broadcom Inc
Webcast | Resiliency and Business Continuity in the Cloud Era | May 22, 1:00 pm ET Join Dave Shackleford and Chris Newman as they discuss - How cloud use is growing and changing, with some emphasis on zero trust and user access strategies - The types of security controls most organizations have implemented in the cloud, Changing compliance and regulatory requirements - Why-and how-we need to rethink business continuity to ensure consistent coverage, even when outages occur Save your seat today.
ARMO
Webcast | The Future of Cloud Security Starts with Runtime | May 29, 1:00 ET Modern cloud attacks are fast, stealthy, and constantly evolving-can your security strategy keep up? Join us for an eye-opening session that explores why traditional security tools are falling short and how runtime visibility is becoming a critical pillar of modern cloud defense. Save your seat today.
Broadcom Inc
Webcast | Be a DLP Hero: How to Quickly Deliver Value from Your DLP Program and Set It Up for Future Success | June 4, 1:00 ET Join us for this practical, insight-packed webcast and learn how to confidently launch or strengthen your DLP program for immediate value and long-term success. Save your seat today.
SANS Institute
Webcast | SANS 2025 CTI Survey Webcast & Forum: Navigating Uncertainty in Today's Threat Landscape | May 21, 10:30 am ET As the cyber threat landscape continues to evolve, the past year has presented unique challenges and opportunities for cyber threat intelligence professionals. Save your seat today so you can explore with Rebekah Brown and Andreas Sfakianakis this year's survey results.