ANS Stormcast Monday, April 21st: MSFT Entra Lockouts; Erlang/OTP SSH Exploit; Sonicwall Exploit; bubble.io bug
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 21 April 2025
⏱️ 8 minutes
🧾️ Download transcript
Summary
Microsoft Entra User Lockout
Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised.
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability
Erlang/OTP SSH Exploit
An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution.
https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb
Sonicwall Exploited
An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
Unpatched Vulnerability in Bubble.io
An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site.
https://github.com/demon-i386/pop_n_bubble
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, April 21st, 2025 edition of the Sands and then at Storm Center's |
| 0:08.1 | Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida. |
| 0:13.7 | Looks like this weekend was not a good weekend for administrators using Microsoft Entra for authentication. |
| 0:22.7 | Microsoft apparently made life a new feature. |
| 0:26.3 | They're calling it Mace. |
| 0:28.3 | And the idea behind the feature is not a bad idea. |
| 0:32.0 | It does flag accounts whose credentials have been compromised in the past. |
| 0:37.9 | So they're tying into some kind of back end. |
| 0:40.4 | I'm not sure if it's have I been owned or something they built themselves. |
| 0:44.1 | But if you're using credentials that were found in recent compromises, the account is then |
| 0:51.9 | automatically locked. |
| 0:53.7 | The problem is that, well, a lot of accounts apparently were affected by this. |
| 0:59.6 | Some report, like about a third of their accounts were flagged, so you got this rash of alerts. |
| 1:06.3 | And of course, attackers haven't necessarily taken advantage of this issue, so it's very possible that the |
| 1:13.6 | account itself is still fine. It's a little bit tricky how you should react to these alerts. |
| 1:19.8 | Of course, you should probably ask users to update their passwords. But in the other hand, |
| 1:26.9 | having a third of your users all for a sudden disabled is often |
| 1:31.5 | not really sustainable from customer support as well as from a business perspective overall. |
| 1:38.2 | So you may need to find a quick workaround here to keep these accounts going for now. |
| 1:44.9 | It's not clear what exactly was compromised if just the password showed up in any compromise |
| 1:53.2 | of the username and password combination showed up. |
| 1:56.8 | Of course, the second being much more dangerous than your user is just using a somewhat weak |
... |
Transcript will be available on the free plan in 16 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.