SANS Stormcast Monday, August 4th, 2025: Legacy Protocols; Sonicwall SSL VPN Possible 0-Day;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 4 August 2025
⏱️ 5 minutes
🧾️ Download transcript
Summary
Scans for pop3user with guessable password
A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled.
https://isc.sans.edu/diary/Legacy%20May%20Kill/32166
Possible Sonicwall SSL VPN 0-Day
Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated.
https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/
PAM Based Linux Backdoor
For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks.
https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/
Transcript
Click on a timestamp to play from that location
| 0:00.8 | Hello and welcome to the Monday, August 4, 2025 edition of the Sands Internet Storm Center's Stormcast. |
| 0:08.3 | My name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:12.3 | And this episode is brought you by the Sands.edu graduate certificate program in incident response. |
| 0:20.5 | Nothing groundbreaking today as far as |
| 0:23.5 | as a storm center data goes. Well, the one little bit odd thing they had is scans for |
| 0:30.2 | S-H-Intelnet using the username Pop3 user and the password, well, just username or |
| 0:36.9 | 1, 2, 3, 4, 5, 6. |
| 0:38.5 | Just a reminder that, well, yes, those old protocols may still be out there. |
| 0:44.2 | So if you no longer use Pop, make sure you don't just disable the Pop 3 server, but also, |
| 0:51.0 | well, remove associated accounts if possible or make sure they're at least |
| 0:55.7 | not able to log in because, well, given that they are probably 10 or so years old, who knows |
| 1:01.0 | what the password is and it may be something stupidly simple. Also interesting here, the network |
| 1:07.2 | where these particular scans originated from, well, it's managed by Unmanaged, |
| 1:13.5 | according to Who Is. That appears to be the official name of that particular network service |
| 1:19.7 | provider. So Unmanaged.uk. It's a UK provider, at least according to the records. |
| 1:27.7 | Don't think they're doing much in terms of managing abuse and the like. |
| 1:32.3 | These are often also some bullet-proof hosting providers. |
| 1:36.4 | Haven't seen this particular one before, |
| 1:38.7 | but often I don't really bother looking at the Who Is record. |
| 1:43.2 | So definitely, well, like I said, maybe just |
| 1:46.3 | block that particular network. Haven't really seen anything too useful in that network. |
| 1:52.3 | And Arctic Wolf published a blog post stating that they suspect there may be a seraday |
... |
Transcript will be available on the free plan in 13 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.