SANS Stormcast Tuesday, October 14th, 2025: ESAFENET Scans; Payroll Priates; MSFT Edge IE Mode
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 13 October 2025
⏱️ 6 minutes
🧾️ Download transcript
Summary
Scans for ESAFENET CDG V5
We do see some increase in scans for the Chinese secure document management system, ESAFENET.
https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364
Investigating targeted payroll pirate attacks affecting US universities
Microsoft wrote about how payroll pirates redirect employee paychecks via phishing.
https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/
Attacks against Edge via IE Mode
Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks.
https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, October 14th, 2025 edition of the Sands Internet Storm Centers. |
| 0:12.0 | Stormcast, my name is Johannes Ulrich, recording today from Jacksonville, Florida. |
| 0:18.3 | And this episode is brought you by the sands.edu bachelor's decree program in |
| 0:22.9 | applied cyber security. Nothing too exciting in diaries today. I wrote up a tag scans that we |
| 0:32.1 | have seen for e-safnet CDG. That is a document security management system. |
| 0:39.3 | Appears to mostly target the Chinese market. |
| 0:42.1 | It's Chinese maker of the software and their website and such is pretty much Chinese only. |
| 0:48.1 | So I assume that that's where they're focusing their marketing effort at. |
| 0:53.0 | There have been a number of different vulnerabilities, |
| 0:56.6 | including a cross-sat scripting issue |
| 0:58.8 | that in particular sort of effect at that system config endpoint |
| 1:03.2 | that we do see probed. |
| 1:05.0 | There have been prior vulnerabilities like C4 injection vulnerabilities. |
| 1:08.7 | So a little bit difficult to tell what exactly they're trying to exploit here, in particular |
| 1:14.1 | for the request that I've seen so far, we don't actually have to request body. |
| 1:19.0 | Only some of our honeypots report that. |
| 1:22.0 | And the ones that have been exposed to these scans happened to not have reported the request body. |
| 1:29.9 | Other than that, as any of these electronic document security management systems |
| 1:35.1 | or secure document management systems, |
| 1:38.0 | well, don't assume they're secure. |
| 1:39.9 | I talked about this many times before and tried to limit |
| 1:43.8 | the exposure of any documents stored in these systems. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.