SANS Stormcast Friday, August 8th, 2025:: ASN43350 Mass Scans; HTTP1.1 Must Die; Hyprid Exchange Vuln; Sonicwall Update; SANS.edu Research: OSS Security and Shifting Left
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 8 August 2025
⏱️ 24 minutes
🧾️ Download transcript
Summary
Mass Internet Scanning from ASN 43350
Our undergraduate intern Duncan Woosley wrote up aggressive scans from ASN 43350
https://isc.sans.edu/diary/Mass+Internet+Scanning+from+ASN+43350+Guest+Diary/32180/#comments
HTTP/1.1 Desync Attacks
Portswigger released details about new types of HTTP/1.1 desync attacks it uncovered. These attacks are particularly critical for organizations using middleboxes to translate from HTTP/2 to HTTP/1.1
https://portswigger.net/research/http1-must-die
Microsoft Warns of Exchange Server Vulnerability
An attacker with admin access to an Exchange Server in a hybrid configuration can use this vulnerability to gain full domain access. The issue is mitigated by an April hotfix, but was not noted in the release of the April Hotfix.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53786
Sonicwall Update
Sonicwall no longer believes that a new vulnerability was used in recent compromises
https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430
SANS.edu Research: Wellington Rampazo, Shift Left the Awareness and Detection of Developers Using Vulnerable Open-Source Software Components
https://www.sans.edu/cyber-research/shift-left-awareness-detection-developers-using-vulnerable-open-source-software-components/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, August 8th, 2025 edition of the Sands Inlet Storm Center's Stormcast. |
| 0:11.5 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:16.5 | This episode is brought to you by the Sandsdot EDU graduate certificate program in incident response. |
| 0:24.4 | In diaries today, we have yet again one of our sands.org, undergraduate interns |
| 0:29.9 | that wrote up a little observation from their own honeypot. |
| 0:35.8 | Duncan Woosley observed all of a sudden a big influx of scans from |
| 0:40.6 | Anima. Looking at it closer, it actually turned out that this was associated with ESN 43350, |
| 0:48.4 | ASN autonomous systems or autonomous system numbers. That's basically the different networks connected to the |
| 0:54.6 | internet and ESN 43350, which is assigned to a company called Enforce Entertainment, well, |
| 1:04.2 | has a little bit of habit of often renting out its IP address space. So that, of course, |
| 1:11.3 | opens them up to more suspicious |
| 1:13.8 | and, well, sometimes malicious uses. |
| 1:18.3 | The traffic spiked over a couple days |
| 1:21.1 | between April and then later again in July. |
| 1:26.0 | The next question, of course, |
| 1:27.2 | always comes up here is block lists. |
| 1:30.0 | And last time I mentioned block lists in diary, |
| 1:33.9 | there was a question that came up, |
| 1:35.2 | why I don't like blocklist? |
| 1:36.7 | So should you block this particular ASN? |
| 1:40.2 | Well, maybe it really all depends on your own network. |
| 1:44.3 | Blocking sort of a big scanner like this can certainly reduce the noise in your network, |
... |
Transcript will be available on the free plan in 17 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.