Hello and welcome to the Wednesday, October 8th, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, recording today from Denver, Colorado.

And this episode is brought you by the Sands.edu graduate certificate program in incident response.

In diaries today, I wrote about exploit attempts that we have been seen against free pbX.

Free pbX is the popular voice over IP system, and it had a critical vulnerability disclosed about two months ago.

This vulnerability had already been exploited at the time it was disclosed and yes, of course,

many of these free PbX systems hadn't been patched at the time.

What we are seeing here is an interesting way to leverage SQL injection

to actually achieve remote code execution.

Free pbx maintains a database table called gran jobs.

That table can be used to essentially add system Cron jobs

via the Cigle Injection Vulnerability. So the Cicle Injection Vulnerability is just used to

insert an additional row into this table, which will then launch a Cron job every minute. That Gronjob will create a file in the

web document root directory that just echoes back, well, that the system essentially vulnerable.

It does also echo back the output of new name dash A and then deletes the file, deletes itself, which I don't think

actually makes a big difference because the Grand Shop keeps running and will continuously

recreate the file. But the file, it's a PHP file, so it's only executed if it's actually

loaded in a browser. At this point, we haven't really seen any attempts to access this file, but our honeypots

aren't really sort of claiming to be vulnerable, so it's possible that the attacker figures

out after trying to deploy this particular file using the vulnerability that the exploit actually didn't

work. And Microsoft published a very extensive blog post about disrupting threats targeting Microsoft

Teams. In the first part of this blog post, they are discussing various threats that Teams is

...