Hello and welcome to the Friday, April 4th,

2025 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Today we got another diary from one of our undergraduate interns.

Gregory Weber did talk about while analyzing

URLs collected by Honeypots and how to identify malicious traffic and distinguish it from

normal traffic to a web application. Of course, Honeypots, by definition, really only get

malicious requests.

So Gregory did compare it to data from a normal website.

There's some frequency analysis on it and actually came up with a model that looks

reasonably good in distinguishing attacks from non-attacks.

I think still needs a little bit of refinement and maybe more data really to validate it well,

but it's an interesting approach and there, of course, is a lot of work happening currently

doing sort of some more automated log analysis, automated intrusion detection

using some of these machine learning techniques.

And the next story falls in the category never underestimate the creativity of a sophisticated attacker.

In this example, it's a critical vulnerability in Evandi Connect

Secure. It was patched in February. It's a buffer overflow, but exploitation is quite

constrained for that buffer overflow. So Ivanti initially assessed that this particular

vulnerability is not exploitable. Well, they were proven wrong now, apparently, by some

actor that may be associated with some Chinese state actors. According to Mandyant, who wrote about it,

it looks like they reversed the patch,

...