SANS Stormcast Friday, July 11th, 2025: SSH Tunnel; FortiWeb SQL Injection; Ruckus Unpatched Vuln; Missing Motherboard Patches;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 11 July 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
SSH Tunneling in Action: direct-tcp requests
Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks.
https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094
Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257)
An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
https://www.fortiguard.com/psirt/FG-IR-25-151
Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities
Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface.
https://kb.cert.org/vuls/id/613753
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, July 11, 2025 edition of the Sands and then at Storm Center's |
| 0:06.8 | Stormcast. My name is Johannes Orich, and today's episode, which is brought to you by the Sands. |
| 0:12.9 | edu Graduate Certificate Program in Penetration Testing and Ethical Hacking is recorded in Jacksonville, Florida. |
| 0:21.2 | In Diaries today, we have yet again one of our undercreated interns with the Sands.edu Bax program. |
| 0:29.0 | Write up an observation from a honeypot. |
| 0:32.2 | This particular one comes from Cui Neo, and it does show how attackers are using, well, open SSH servers. |
| 0:40.8 | In this case, weak passwords are typically used in order to penetrate the SH server, but the attacker |
| 0:47.4 | here is actually kind of leaving the SSH server alone. It's only using the SH server to then |
| 0:54.1 | set up SH tunnels to other systems. And in this |
| 0:58.2 | particular case, one of the top targets that attackers were after was a mail server with |
| 1:06.2 | Yandex, Yandex being a large Russian ISP, which also operates a very large webmail system. |
| 1:14.1 | So they're probably going to send some kind of spam to this particular mail server. |
| 1:20.1 | This is a rather common technique to use a compromised S-H server as a proxy essentially to forward requests that obfuscates the actual source |
| 1:31.5 | of the attack. Sometimes they can also be sort of daisy chain, where you have multiple proxies |
| 1:37.6 | like this in order to further obfuscate the actual source of the attack. In the past, |
| 1:43.1 | even nation-state actors have sometimes |
| 1:45.4 | used this technique via compromised home systems, home routers, and the like in order to again |
| 1:51.6 | obfuscate their track and yet another reason why usually country blocks and the like |
| 1:58.0 | are not really helping against any of the little bit more |
| 2:02.0 | sophisticated attackers. And then before I forget it again, I intended to cover this |
| 2:07.3 | yesterday already, but well, it didn't quite make it. FortyGuard released an advisory |
| 2:13.5 | alerting its users of a critical vulnerability in the 40 web application. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.