SANS Stormcast Friday, October 24th, 2025: Android Infostealer; SessionReaper Exploited; BIND/unbound DNS Spoofing fix; WSUS Exploit
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 24 October 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Infostealer Targeting Android Devices
This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram.
https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414
Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236
Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts.
https://sansec.io/research/sessionreaper-exploitation
Patch for BIND and unbound nameservers CVE-2025-40780
The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator.
https://kb.isc.org/docs/cve-2025-40780
WSUS Exploit Released CVE-2025-59287
Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability
https://hawktrace.com/blog/CVE-2025-59287
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, October 24th, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:13.0 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.1 | And this episode is brought you by the sands.edu credit certificate program in incident |
| 0:23.5 | response. Info-stealers for Android written in Python, apparently that's a thing in Xavier came across |
| 0:32.8 | an example. This particular infestiler takes advantage Termux, a terminal emulator that is |
| 0:39.5 | available for Android. This terminal emulator also includes utilities that allow you to access |
| 0:46.4 | things like, for example, the address book and such from Android, and that then produces a simple |
| 0:53.9 | to parse JSON formatted output, and that then produces a simple to parse JSON formatted output and that is being |
| 0:58.6 | exfiltrated by this InfoSteeler. Xavier isn't sure how sort of the entire infections |
| 1:06.0 | change starts here in order to run the InfoStealer. The victim essentially already has |
| 1:11.5 | thermox running. It's possible that the attacker uses social engineering or essentially just |
| 1:18.0 | counts on victims that already have these tools installed on their Android phone. |
| 1:25.6 | And e-commerce security company S Sansec, has observed the active exploitation of a |
| 1:32.2 | recently patched Adobe Commerce vulnerability. |
| 1:36.2 | Adobe Commerce, also known as Magento, is an e-commerce application that always focus on when |
| 1:42.2 | we have like Adobe patches, because in the past |
| 1:44.9 | vulnerabilities in this application have repeatedly been abused and have been exploited. So no big |
| 1:51.8 | difference here for this vulnerability. It also goes by the name of Session Reaper. The problem |
| 1:57.8 | is that an attacker is able to basically create a malicious session and then take |
| 2:03.1 | advantage of a deseralization vulnerability that will then execute arbitrary code. |
| 2:09.9 | Proof-of-concept code has been made available, has been made public, so it's no big surprise |
| 2:15.4 | here that this vulnerability is actively being exploited. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.