SANS Stormcast Friday, September 26th, 2025: Webshells in .well-known; Critical Cisco Vulns Exploited; XCSSET Update; GoAnywhere MFT Exploit Details
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 26 September 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
Webshells Hiding in .well-known Places
Our honeypots registered an increase in scans for URLs in the .well-known directory, which appears to be looking for webshells.
https://isc.sans.edu/diary/Webshells%20Hiding%20in%20.well-known%20Places/32320
Cisco Patches Critical Exploited Vulnerabilities
Cisco released updates addressing already-exploited vulnerabilities in the VPN web server for the ASA and FTD appliances.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
XCSSET Evolves Again
Microsoft detected a new XCSSET variant, an infostealer infecting X-Code projects.
https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-again-analyzing-the-latest-updates-to-xcssets-inventory/
Exploitation of Fortra GoAnywhere MFT CVE-2025-10035
watchTowr analyzed the latest GoAnywhere MFT vulnerability and exploits used against it.
https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, September 26, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:10.6 | My name is Johannes Ulrich, recording today from Las Vegas, Nevada. |
| 0:16.1 | And this episode is brought you by the Sands.edu graduate certificate program in industrial control system security. |
| 0:24.5 | Our honeypots registered an increase in scans for files in the dot well-known directory, |
| 0:31.3 | and the URLs look like they're probably looking for web shells. |
| 0:36.5 | The dot well-known directory is, of course course well in Unix hidden with the dot at the beginning |
| 0:42.2 | of the name of the directory, but it is commonly used for information files like |
| 0:47.8 | security. |
| 0:48.3 | Or also to confirm the ownership of a website with the Agmi protocol if you're using the web-based |
| 0:57.2 | authentication for this protocol to obtain certificates. |
| 1:01.9 | Probably best to keep an eye on this directory. |
| 1:04.2 | If anybody finds an interesting web shell there, would love to take a quick look at what |
| 1:10.0 | this web shell does, but not necessarily expecting |
| 1:13.1 | anything super sophisticated or different here. |
| 1:17.5 | Well, and then we got more news from Cisco. |
| 1:19.6 | Yesterday I mentioned the already exploited SNMP vulnerability. |
| 1:24.1 | Wasn't really all that exciting because in order to exploit that vulnerability, |
| 1:28.3 | you must already have admin credentials. |
| 1:32.2 | But we now have two additional vulnerabilities that apparently are also already being exploited |
| 1:37.9 | and some say the exploitation goes about one year back. |
| 1:43.7 | The first vulnerability is rated as critical. It does allow for |
| 1:47.5 | arbitrary code execution on the ASA, that's the adaptive security blinds, as well as on FTT, the |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.