SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed

Update: 2025-04-23

Description

xorsearch.py: Ad Hoc YARA Rules

Adhoc YARA rules allow for easy searches using command line arguments without having to write complete YARA rules for simple use cases like string and regex searches

https://isc.sans.edu/diary/xorsearch.py%3A%20%22Ad%20Hoc%20YARA%20Rules%22/31856

Google Spoofed via DKIM Replay Attack

DKIM replay attacks are a known issue where the attacker re-uses a prior DKIM signature. This will work as long as the headers signed by the signature are unchanged. Recently, this attack has been successful against Google.

https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/

SSL.com E-Mail Validation Bug

SSL.com did not properly verify which domain a particular email address is authorized to receive certificates for. This could have been exploited against webmail providers.

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

Comments

In Channel

SANS Stormcast Friday, May 23rd 2025: Backup Connectivity; Windows 2025 dMSA Abuse; Samlify Vulnerability

2025-05-2307:54

SANS Stormcast Thursday, May 22nd 2025: Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome

2025-05-2206:21

SANS Stormcast Wednesday, May 21st 2025: Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulneraiblity

2025-05-2107:51

SANS Stormcast Tuesday, May 20th 2025: AutoIT Code RAT; Fake Keepass Download; Procolored Printer Software Compromise

2025-05-2006:41

SANS Stormcast Monday, May 18th 2025: xorsearch python functions; pwn2own Berlin; senior govt official impersonation; dynamic domain risk

2025-05-1906:30

SANS Stormcast Friday, May 16th: Increase in Sonicwall Scans; RVTools Compromised?; RountPress

2025-05-1606:26

SANS Stormcast Thursday, May 15th: Google Open Redirects; Adobe, Ivanti, and Samsung patches

2025-05-1506:16

SANS Stormcast Wednesday, May 14th: Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products

2025-05-1406:38

SANS Stormcast Tuesday, May 12th: Apple Patches; Unipi Technologies Scans;

2025-05-1306:29

SANS Stormcast Monday, May 11th: Steganography Challenge; End-of-Life Routers; ASUS Driverhub; RV-Tools SEO Poisoning

2025-05-1206:39

SANS Stormcast Friday, May 9th: SSH Exfil Tricks; magicINFO still vulnerable; SentinelOne Vulnerability; Commvault insufficient patch

2025-05-0904:57

SANS Stormcast Thursday, May 8th: Modular Malware; Sysaid Vuln; Cisco Wireless Controller Patch; Unifi Protect Camera Patch

2025-05-0805:41

SANS Stormcast Wednesday, May 7th: Infostealer with Webserver; Android Update; CISA Warning

2025-05-0706:44

SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost;

2025-05-0606:57

SANS Stormcast Monday, May 5th: Steganography Challenge; Microsoft Makes Passkeys Default and Moves Away from Authenticator as Password Manager; Magento Components Backdoored.

2025-05-0505:57

SANS Stormcast Friday, May 2nd: More Steganography; Malicious Python Packages GMail C2; BEC to Steal Rent Payments

2025-05-0207:16

SANS Stormcast Thursday, May 1st: Sonicwall Attacks; Cached Windows RDP Credentials

2025-05-0106:28

SANS Stormcast Wednesday, April 30th: SMS Attacks; Apple Airplay Vulnerabilities

2025-04-3008:51

SANS Stormcast Tuesday, April 29th: SRUM-DUMP 3; Policy Puppetry; Choice Jacking; @sansinstitute at #RSAC

2025-04-2907:37

SANS Stormcast Monday, April 28th: Image Steganography; SAP Netweaver Exploited

2025-04-2807:55

00:00

SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed

#box-pro-ellipsis-174815365926931{-webkit-line-clamp:2;}SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed

SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed

Dr. Johannes B. Ullrich

SANS Stormcast Wednesday, April 23rd: More xorsearch Updates; DKIM Replay Attack; SSL.com Vulnerability Fixed