SANS Stormcast Tuesday, June 24th, 2025: Telnet/SSH Scan Evolution; Fake Sonicwall Software; File-Fix vs Click-Fix
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 25 June 2025
⏱️ 4 minutes
🧾️ Download transcript
Summary
Quick Password Brute Forcing Evolution Statistics
After collecting usernames and passwords from our ssh and telnet honeypots for about a decade, I took a look back at how scans changed. Attackers are attempting more passwords in each scans than they used to, but the average length of passwords did not change.
https://isc.sans.edu/diary/Quick%20Password%20Brute%20Forcing%20Evolution%20Statistics/32068
Introducing FileFix A New Alternative to ClickFix Attacks
Attackers may trick the user into copy/pasting strings into file explorer, which will execute commands similar to the ClickFix attack that tricks users into copy pasting the command into the start menu s cmd feature.
https://www.mobile-hacker.com/2025/06/24/introducing-filefix-a-new-alternative-to-clickfix-attacks/
Threat Actors Modify and Re-Create Commercial Software to Steal User s Information
A fake Sonicwall Netextender clone will steal user s credentials
https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, June 25th, 2025 edition of the Sandinand at Storm Center's Stormcast. |
| 0:08.8 | My name is Johannes Ulrich, and this episode brought you by the Sans.edu credit certificate program in cyber defense operations is recorded in Stockholm, Germany. |
| 0:20.7 | In diaries today, I took a quick look at the history of the password brute forcing that we have |
| 0:27.0 | seen in our honeypots. |
| 0:28.6 | We collected the data starting in about 2015. |
| 0:32.1 | Now, my analysis, I start with 2018 data because that's where things became a bit more stable and we sort of have a consistent volume of data to look at. |
| 0:43.0 | And what I looked at is, first of all, do we have modern bots that are using more username password combinations to attack particular target than the older bots. |
| 0:54.3 | And that appears to be somewhat true. |
| 0:56.8 | In the beginning, meaning 2018, we had about 10 different username and password combinations |
| 1:03.0 | attempted by each individual source IP address. |
| 1:06.9 | That is now up to about 70 or so different username and passwords. |
| 1:14.7 | I also took a quick look at the complexity of the passwords, |
| 1:18.4 | and that has been relatively steady around eight characters on average. |
| 1:23.8 | But remember, these are default passwords that these bots usually attempt. Now, there are a couple of |
| 1:30.2 | default passwords that are a bit larger and more complex, but most of them are simple stuff like, |
| 1:37.3 | you know, admin, password and the like. So relatively short passwords, and the length does necessarily |
| 1:43.6 | mean that it's more difficult to guess |
| 1:45.7 | password if it is actually just a simple default password. |
| 1:50.9 | And the blog post on mobilehacker.com does describe an interesting, well, I would say, further |
| 1:58.0 | development of the Click Fix matter. ClickFix refers to attackers that present |
| 2:04.9 | users with fake CAPTCHAs and then trick them into copy pasting code into their system. |
| 2:12.6 | Now that usually requires opening some kind of command prompt prompt. What mobile hacker proposes here, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.