SANS Stormcast Monday, September 29th, 2025: Convert Timestamps; Cisco Compromises; GitHub Notification Phishing
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 29 September 2025
⏱️ 9 minutes
🧾️ Download transcript
Summary
Converting Timestamps in .bash_history
Unix shells offer the ability to add timestamps to commands in the .bash_history file. This is often done in the form of Unix timestamps. This new tool converts these timestamps into a more readable format.
https://isc.sans.edu/diary/New%20tool%3A%20convert-ts-bash-history.py/32324
Cisco ASA/FRD Compromises
Exploitation of the vulnerabilities Cisco patched last week may have bone back about a year. Cisco and CISA have released advisories with help identifying affected devices.
https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks
https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
Github Notification Phishing
Github notifications are used to impersonate YCombinator and trick victims into installing a crypto drainer.
https://www.bleepingcomputer.com/news/security/github-notifications-abused-to-impersonate-y-combinator-for-crypto-theft/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Monday, September 29th, 2025 edition of the Sands Internet Storms Centers. |
| 0:11.6 | Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:17.3 | And this episode is brought you by the Sands.edu graduate certificate program in industrial control system security. |
| 0:25.5 | Quick script from Jim this weekend for anybody doing forensics, instant response, something to convert the Unix timestamps in Bash History files to a more human-readable ISO format. |
| 0:39.4 | Adding timestamps to Bash history is obviously useful in instant response. |
| 0:45.1 | If it's not done by your system, all you have to do is add a hist time format variable to your |
| 0:51.9 | Bash RC or a similar file. |
| 0:56.2 | And with that, you basically define the format. |
| 0:59.3 | It's often defined as a Unix timestamp. |
| 1:01.3 | Part of this is to make it easy to sort. |
| 1:05.7 | The file is being written whenever a shell exits. |
| 1:09.2 | So if you have multiple shells running around the same time, |
| 1:15.1 | well, these particular commands may not necessarily be in time order as they're being saved to the file. |
| 1:16.2 | And of course, the usual caveats about this file being potentially manipulated or disabled |
| 1:21.4 | by an attacker applies. |
| 1:24.7 | And then we still have to talk about the Cisco vulnerability that I mentioned last week, |
| 1:29.9 | the vulnerability had already been exploited. |
| 1:34.3 | So again, this affects the ASA and firepower devices. |
| 1:39.1 | Note that exploitation of the devices likely started about a year ago. I've seen numbers in news articles |
| 1:48.5 | and so that mentioned two million affected devices. Now note that these are potentially |
| 1:54.4 | vulnerable devices, not exploited device. I think that distinction sometimes got lost in some of the articles that I've seen. |
| 2:03.3 | At this point, there's only a very small number of actual exploited devices as far as I've seen. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.