SANS Stormcast Wednesday, May 21st 2025: Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulneraiblity
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 21 May 2025
⏱️ 8 minutes
🧾️ Download transcript
Summary
Researchers Scanning the Internet
A newish RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today
https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964
Cloudy with a change of Hijacking: Forgotten DNS Records
Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to.
https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/
Message signature verification can be spoofed CVE-2025-47934
A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications.
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Wednesday, May 21st, 2025 edition of the Sands and its Storms anders Stormcast. |
| 0:07.8 | My name is Johannes Ulrich, and this episode brought to you by the Graduate Certific Program in Cyber Defense Operations is recorded again in Jacksonville, Florida. |
| 0:19.9 | Well, today's diary is not a hot new threat for a change, |
| 0:23.2 | but something that has been happening for a while. |
| 0:25.6 | The reason I wrote about it today was earlier today, |
| 0:29.9 | Caleb in our Slack channel asked the question |
| 0:32.7 | whether or not a researcher scanning the internet |
| 0:35.0 | actually obey RFC 9511. Now, you may ask what is RFC 9511. |
| 0:42.4 | It's a standard that suggests researchers who are scanning the internet, well, should do something |
| 0:49.0 | to identify their scans as originating from a research project and also help people who are targeted by |
| 0:57.3 | these scans to contact whoever is the origin organization of these scans. There are a number of |
| 1:05.1 | methods that this particular RFC proposes. For example, you can set up a web server on the system performing |
| 1:13.3 | the scans and then a standard file on that web server will identify the origin of the scan. |
| 1:20.5 | Also, you can basically add some information like a URL or such as part of the payload of the data that you're sending. |
| 1:29.4 | The most common implementation I see is that researchers are adding a string like a URL to the user |
| 1:39.2 | agent when they're scanning web applications. And that's, of course, one thing that we are looking at. |
| 1:45.3 | For a few years now, we are publishing a list of IP addresses |
| 1:50.1 | that we consider part of research organizations performing scan. |
| 1:55.4 | Now, some of them are commercial, but the idea is the same |
| 1:58.7 | that they're scanning the Internet to, for example, identify |
| 2:02.0 | infected systems or identify weekly configured systems. Shodan, probably being the largest |
| 2:08.4 | one, census also being quite robust and oftenly cited when it comes to these type of scans. |
... |
Transcript will be available on the free plan in 1 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.