SANS Stormcast Friday, October 3rd, 2025: More .well-known Scans; RedHat Openshift Patch; TOTOLINK Vuln;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 3 October 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
More .well-known scans
Attackers are using API documentation automatically published in the .well-known directory for reconnaissance.
https://isc.sans.edu/diary/More%20.well-known%20Scans/32340
RedHat Patches Openshift AI Services
A flaw was found in Red Hat Openshift AI Service. A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to a full cluster administrator.
https://access.redhat.com/security/cve/cve-2025-10725#cve-affected-packages
TOTOLINK X6000R Vulnerabilities
Paloalto released details regarding three recently patched vulnerabilities in TotalLink-X6000R routers.
https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/
DrayOS Vulnerability Patched
Draytek fixed a single memory corruption vulnerability in its Vigor series router. An unauthenticated user may use it to execute arbitrary code.
https://www.draytek.com/about/security-advisory/use-of-uninitialized-variable-vulnerabilities
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, October 3rd, 2025 edition of the Sands Internet Storms Centers. |
| 0:11.7 | Stormcast, my name is Johannes Ulrich, recording you today from Jacksonville, Florida. |
| 0:17.7 | And this episode is brought you by the sands.edu undergraduate certificate program |
| 0:22.4 | in Cybersecurity Fundamentals. Well, and today, once more I wrote about the dot well-known directory, |
| 0:30.3 | of course, have written about this in the past. Most recently, I think was last week about |
| 0:35.4 | some back doors and such, some web shells that people left behind in that directory. |
| 0:41.5 | Today it's a little bit different. |
| 0:42.8 | Actually, no honeypot data for a change, but instead something I observed on our ISC web server, |
| 0:49.7 | and that is that attackers are scanning for URLs in the dot well-known directory that are |
| 0:57.4 | valuable for reconnaissance. |
| 0:59.6 | There are a number of systems that add configuration files to the dot-well-known directory, |
| 1:05.5 | like, for example, the terraform. |
| 1:08.1 | JSON file that will give an attacker, of course, some hints as to what |
| 1:14.2 | APIs your particular system supports. Some of them are required, like that Terraform.org |
| 1:19.9 | dot JSON file in order to use these tools effectively. Also, these Oath and Open ID configuration |
| 1:27.3 | files are required if you would like |
| 1:29.9 | to use these systems. In so far, it's not a good idea to remove those files from your system |
| 1:36.4 | in case you see them on your system. Sometimes they're not even files, they're just APIs |
| 1:41.5 | themselves that create those responses dynamically. |
| 1:46.1 | So what you want to do is you want to at least keep an eye on these locations and make sure that what's being published here is supposed to be published. |
| 1:56.2 | I think it was yesterday or at least earlier this week where we had one case where one of these files did include |
| 2:02.7 | some secret keys, some API secrets, not just the public keys that are usually supposed |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.