Free technical content sponsored by Reversing Labs
 Beyond VirusTotal: The RL Alternative
Tired of GTI bundles and rising costs with VirusTotal? ReversingLabs shows why teams are making the switch. Watch the on-demand webinar to hear customer stories, see live demos, and explore how RL delivers deeper intel, stronger privacy, and transparent pricing—without lock-in. Watch Now: https://www.sans.org/info/233610 | |
|
|
Apple Debuts Memory Integrity Enforcement in A19 Chip
(September 9, 10, & 11, 2025)
Apple has announced a security feature dubbed Memory Integrity Enforcement (MIE), incorporated into the forthcoming iPhone 17, designed to protect against memory safety flaws, "which are interchangeable, powerful, and exist throughout the industry," as well as being "the most widely exploited class of software vulnerabilities." Memory safety vulnerabilities have been exploited in "the only system-level iOS attacks [Apple] observe[s] in the wild," those being targeted attacks employing "mercenary spyware." Citing Apple’s ongoing goal to prioritize code and hardware that make it "inherently difficult" to exploit memory corruption flaws, the announcement describes MIE as an always-on protection engineered into the A19 Arm chips, building on Apple’s existing secure memory allocators, Enhanced Memory Tagging Extension (EMTE), and Tag Confidentiality Enforcement. The EMTE specification is also now available in Xcode for Apple developers to incorporate into their software.
Editor's Note
[Neely]
Apple is raising the bar beyond memory-safe programming, implementing controls at the chip level to not only cover legacy code that has not been converted to be memory safe, but to also backstop existing memory-safe coding efforts. Note you need an iPhone Air or iPhone 17 to get this CPU; pre-order starts September 12th.
[Pescatore]
Hardware-based protection has many advantages over trying to use software to protect software. The obvious disadvantage is the difficulty of remediating flaws that aren’t detected before shipping product, but the largest market issue here is the need for “memory safety standardization” so that all platforms can provide the basic memory-level protections to cross-platform applications.
[Frost]
I remember reading the initial paper on how Apple embedded Memory Protections in the Hardware components of their silicon. This is part of the culmination of that effort. I am very impressed that they are pushing ahead on this effort. It would be interesting to see this type of technology make it to their fleet of laptops and desktops.
[Dukes]
A good 'secure by design' move by AAPL. Computer memory has historically been a weak link in the security architecture of all compute devices. This is an attempt to address that security weakness while also sending a shot across the bow of spyware makers. CISA and others should be hailing this as a giant step forward for their Secure by Design/Security by Default initiative. Now we await the response from the spyware makers...
[Murray]
One prefers iOS and takes comfort from the fact that there is little one can do from the iOS user interface that will corrupt one's system or applications. These efforts by Apple address the fundamental limitations of the von Neumann architecture and demonstrate that memory-safe alternatives are useful and practical. Because it controls both hardware and software, Apple and its customers enjoy options that others may not.
Read more in:
- security.apple.com: Memory Integrity Enforcement: A complete vision for memory safety in Apple devices
- www.wired.com: Apple’s Big Bet to Eliminate the iPhone’s Most Targeted Vulnerabilities
- thehackernews.com: Apple iPhone Air and iPhone 17 Feature A19 Chips With Spyware-Resistant Memory Safety
- cyberscoop.com: Apple’s new Memory Integrity Enforcement system deals a huge blow to spyware developers
- www.securityweek.com: Apple Unveils iPhone Memory Protections to Combat Sophisticated Attacks | |
|
|
SonicWall Says New Ransomware Attacks are Attacks Exploiting Old Vulnerability
(August 22 and September 10 & 11, 2025)
Researchers from Rapid7 have noted a surge in ransomware attacks exploiting a known vulnerability (CVE-2024-40766) in SonicWall firewalls. In August 2024, SonicWall released updates to address the improper access control vulnerability for SSLVPN that affected the company's Gen5, Gen6, and Gen7 firewall appliances. In an August 2025 support notice addressing the new round of ransomware attacks, SonicWall writes, "Many of the incidents relate to migrations from Gen 6 to Gen 7 firewalls, where local user passwords were carried over during the migration and not reset. Resetting passwords was a critical step outlined in the original advisory." The new round of attacks, like those observed last year, appear to be using the Akira ransomware-as-a-service (RaaS).
Editor's Note
[Neely]
Make sure you apply all the steps when remedying flaws. In this case rotating passwords was part of the last SonicWall update and many forgot to do that.
[Honan]
This story is a good reminder that your vulnerability management and patch management programs need to cover all devices in your estate, in particular critical ones such as your firewalls and other security devices. In many cases, patching of these systems is a manual process which can lead to them being overlooked.
[Frost]
Unfortunately, I’ve seen environments that had managed services where SonicWALL was involved and, for one reason or another, unpatched. If you see an error that your browser no longer supports SSLv3 and cannot connect to the admin interface, you know it’s an old SonicWALL device.
[Dukes]
Ugh, a year old vulnerability, for which a patch was provided, being actively exploited. Those organizations affected, should they be hauled into court, will fail the reasonable cybersecurity argument. Bottom line: follow the guidance provided by the vendor and you have a defensible argument.
[Murray]
While we enumerate vulnerabilities, the instances of those vulnerabilities are such that some, not to say many, will be exploited before they are patched. Some will never be patched. The more popular the product, the more unpatched instances of the vulnerability. There will always be instances of "old vulnerabilities" being exploited. We must layer our security using structured networks, firewalls, and cryptography, to hide as many instances as possible.
Read more in:
- www.sonicwall.com: Gen 7 and newer SonicWall Firewalls – SSLVPN Recent Threat Activity
- www.rapid7.com: Akira Ransomware Group Utilizing SonicWall Devices for Initial Access
- www.theregister.com: Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks
- thehackernews.com: SonicWall SSL VPN Flaw and Misconfigurations Actively Exploited by Akira Ransomware Hackers
- www.securityweek.com: Akira Ransomware Attacks Fuel Uptick in Exploitation of SonicWall Flaw
- www.bleepingcomputer.com: Akira ransomware exploiting critical SonicWall SSLVPN bug again
- nvd.nist.gov: CVE-2024-40766 Detail (August/September 2024) | |
|
|
Patch Tuesday: Microsoft, SAP, and Adobe
(September 9 & 10, 2025)
Earlier this week, Microsoft, SAP, and Adobe released security updates to address multiple vulnerabilities across their product lines. Microsoft released fixes for 86 vulnerabilities in their products, including 13 that are rated critical. None of the Microsoft vulnerabilities addressed this month appears to be under active exploit. SAP released or updated Security Notes for 26 vulnerabilities, including four that are rated critical: an insecure deserialization vulnerability in SAP Netweaver (CVE-2025-42944); an insecure file operations vulnerability in SAP NetWeaver AS Java (CVE-2025-42922); an update to a March 2023 Security Note for a directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (CVE-2023-27500); and a missing authentication check in SAP NetWeaver (CVE-2025-42958). Adobe has released updates to address vulnerabilities in nine products, including Adobe Acrobat and Reader, Adobe Commerce, and Adobe ColdFusion.
Editor's Note
[Neely]
Don’t let the Microsoft and Adobe updates distract you from updating your SAP instances as those flaws are under active exploit, and you’re going to have to weave the downtime and regression testing, albeit minimal, around your financial process schedule.
[Murray]
The rate of patches remains in the high tens per month. One fairly infers that there is a reservoir of both known and unknown vulnerabilities. The cost of quality, such as it is, is multiplied by the number of customers and, for popular products, may even exceed the cost of development. Clearly the market tolerates this cost. However, our infrastructure is proving to be very fragile, and the cost of breaches continues to grow with our reliance on information technology. At what point does our tolerance for porous software constitute an existential risk? | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | SANS CloudSecNext Summit Solutions Track 2025 | Friday, October 3, 2025 at 10:00AM MT
See how leading security teams are solving today’s toughest cloud challenges — from scaling defenses to reducing complexity — with real-world strategies you can put into practice. https://www.sans.org/info/233620
Webcast | 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait. Why Should We? | Wednesday, October 22, 2025 at 10:30 AM ET
Uncover strategies to reduce risk across today's expanding attack surface, learn how to prioritize vulnerabilities, strengthen defenses, and stay ahead of adversaries targeting every corner of your environment. https://www.sans.org/info/233625
Webcast | Continuous Penetration Testing: Closing the Gaps Between Threat and Response | Thursday, October 23, 2025 at 10:30AM ET
Uncover how organizations are shifting from one-off pen tests to ongoing assessments that catch hidden weaknesses before attackers do. https://www.sans.org/info/233635 | |
|
|
|
|
New York Blood Center Sends Breach Notifications
(September 5 & 9, 2025)
New York Blood Center Enterprises (NYBCe) has filed reports with US state regulators and begun sending notices to those affected by a data breach that took place between January 20 and January 26, 2025. An investigation alongside third-party cybersecurity partners determined that "an unauthorized party gained access to the NYBCe network and acquired copies of a subset of its files," with information varying by individual but including "names, Social Security numbers, driver’s license or other government identification card numbers and/or financial account information." Between June 30 and August 12, NYBCe analyzed and finalized the list of affected individuals, who number 10,557 in total, per a report to the Texas Attorney General. NYBCe began mailing notification letters on September 5, offering "one year of complimentary credit monitoring and identity theft protection services to individuals whose Social Security number or driver’s license number was involved." However, NYBCe also published a "Notice to Clinical Services Recipients" on their website on September 5, stating, "We do not collect or maintain contact information for individuals for whom we provide clinical services. As a result, we are unable to mail letters to individuals whose information may have been involved." While NYBCe's original announcement on January 29 stated that third-party experts confirmed the attack was a result of ransomware, the notification letters and current statements do not mention ransomware.
Editor's Note
[Murray]
Just opened yesterday's mail to find that I am a victim of this breach. Given my age, it is likely more than thirty years since I last donated blood. Talk about data retention! At least I am in the group that they can notify. They have not offered me credit monitoring, have advised me to freeze my credit reports (which I have long since done), but pointed out that that will make it difficult for me to get credit. They have also assured me that they will improve their security.
[Neely]
The breach impacts both donor and employee data. They have established a dedicated number for questions. I remain a fan of being proactive on ID/Credit monitoring. As much data as we have entrusted to others, who are working hard to protect it, it only takes one breach, and recovery isn’t fun.
Read more in:
- www.hipaajournal.com: New York Blood Center Enterprises Notifies Individuals Affected by January Ransomware Attack
- therecord.media: Major blood center says thousands had data leaked in January ransomware attack
- www.maine.gov: Data Breach Notifications | New York Blood Center Enterprises
- www.nybce.org: Notice to Clinical Services Recipients
- web.archive.org: NYBCe: New York Blood Center Enterprises Cybersecurity Incident Update (Published February 3, 2025, Archived August 1, 2025) | |
|
|
Really Simple Licensing Standard Automates Content Licensing for AI Crawlers
(September 10 & 11, 2025)
The Really Simple Licensing (RSL) Standard would allow "publishers [to] define machine-readable licensing terms for their content, including attribution, pay per crawl, and pay per inference compensation." Based on Really Simple Syndication (RSS), the open content licensing standard adds "licensing and royalty terms to their robots.txt file" to let bots know how to interact with websites. RSL has the support of "leading internet publishers and technology companies, including Reddit, Yahoo, People Inc., Internet Brands, Ziff Davis, Fastly, Quora, O’Reilly Media, and Medium."
Editor's Note
[Pescatore]
This may not be the final answer, but we really need these types of standards to be tried out to enable authors to be compensated for use of their work and for “fair use” access to be supported. The music and video industries went through it, search engines are still causing issues, and AI engines are driving new questions that need to be answered.
[Frost]
Yet another TXT file for your website. I will say that this one makes a ton of sense. We will see more machine-readable formats on websites. It is not clear, however, what impact this may have on sites. New bugs or vulnerabilities for different formats have been an issue in the past.
[Neely]
Having a standard for AI to follow is a step in the right direction. The trick will be getting AI crawlers to implement this new standard.
[Murray]
The support and authority for the standard makes it an important ground-breaking proposal.
Read more in:
- www.theverge.com: The web has a new system for making AI companies pay up
- www.theregister.com: New Really Simple Licensing spec wants AI crawlers to show a license - or a credit card
- rslstandard.org: New RSL Web Standard and Collective Rights Organization Automate Content Licensing for the AI-First Internet and enable Fair Compensation for Millions of Publishers and Creators
- rslstandard.org: RSL | Really Simple Licensing | |
|
|
1.5Bpps Attack Targets DDoS Scrubbing Provider
(September 1, 9, 10, & 11, 2025)
Network monitoring company FastNetMon recently detected a DDoS attack targeting the website of an unnamed western-European "DDoS scrubbing provider" with a sustained UDP flood of 1.5 billion packets per second (Bpps, or Gpps for gigapackets), stating "what makes this case remarkable is the sheer number of distributed sources and the abuse of everyday networking devices." The source of the attack was compromised customer-premises equipment such as IoT devices and MicroTik routers "spread across 11,000 unique networks worldwide," and was mitigated by the scrubbing provider's own facility. FastNetMon's founder, Pavel Odintsov, contends, "The industry must act to implement detection logic at the ISP level to stop outgoing attacks before they scale." Rupert Goodwins, writing for The Register, argues that DDoS attacks are troublingly overlooked, and effective defenses must be infrastructural: "Until a way is found to disable the compromised nodes that generate the packets, DDoS will continue. Put simply, these nodes are broken, dangerous, and have to be detected and taken offline." Within the week preceding FastNetMon's news, Cloudflare blocked a 5.1Bpps volumetric DDoS attack, which is the highest ever recorded as of this writing.
Editor's Note
[Neely]
One thing we can do is make sure SOHO devices are patched and replaced well before they age out. To include not taking the old devices and stashing them for a future “emergency.” | |
|
|
Education Sector Breaches Caused by Students Worry UK
(September 11, 2025)
The UK Information Commissioner's Office (ICO) has published a press release highlighting increasing risk to schools from cyberattacks carried out by students. Analysis of 215 education sector data breaches "caused by insider attacks" between January 2022 and August 2024 reveals that more than half of those incidents were caused by students. ICO Principal Cyber Specialist Heather Toomey commented to highlight that mitigating this poorly-understood "insider threat" in education must involve intercepting students who may push cyber boundaries for casual reasons without grasping potential serious consequences: "It’s important that we understand the next generation’s interests and motivations in the online world to ensure children remain on the right side of the law and progress into rewarding careers in a sector in constant need of specialists." The ICO's outlook is twofold, first noting that schools must improve their cybersecurity procedures: 23% of the surveyed incidents were caused by poor data protection practices, including data being accessed without legitimate need, devices being left unattended, and students being allowed to use staff devices; 30% were caused by credentials being stolen, with "students guessing weak passwords or finding them jotted down on bits of paper." The second recommendation is to parents, encouraging conversations about online activity and the consequences of cybercrime. The ICO notes a statistic from the National Crime Agency (NCA) estimating that "one in five children aged 10 to 16 have been found to engage in illegal activity online," and links to the NCA's Cyber Choices program, which provides resources for young people, guardians, and teachers aimed at "Explaining the difference between legal and illegal cyber activity; Encouraging individuals to make informed choices in their use of technology; Increasing awareness of the Computer Misuse Act 1990; [and] Promoting positive, legal cyber opportunities."
Editor's Note
[Neely]
The attacker is in the house. School cybersecurity is much more difficult as the students already have access to the net, but they are also curious and learning, motivated by the great stress of getting good grades and promotions leading to educational goals or career advancement. Make sure that you have adequate separation from student and business systems. Consider that you may have to consider the campus network as not just untrusted but hostile, and defend accordingly.
[Murray]
This is a situation where the insider is a customer, not an employee. This situation is even worse in the US system where the relationship between students and faculty is adversarial. The current generation of students are digital natives and digital students, while their teachers, parents, and role models must appear naive to them. Such is the rate of technology innovation. What could possibly go wrong? | |
|
|
CMMC Compliance Rule for US Federal Defense Contractors
(September 9 & 10, 2025)
The US Department of Defense (DoD) has released the final version of a rule requiring federal contractors to comply with the Cybersecurity Maturity Model Certification (CMMC) program. The final rule, which amends the Defense Federal Acquisition Regulation Supplement, was published in the Federal Register on Wednesday, September 10; the new CMMC program will be rolled out starting November 10, 2025. All federal defense contractors, also known as the defense industrial base (DIB), will be required to comply with one of three CMMC levels, depending on the level of information they will be handling. DefenseScoop describes the three levels of compliance: "The revised framework allows contractors to self-assess their cybersecurity compliance if they are handling less sensitive FCI categorized under CMMC Level 1 or CMMC Level 2. More sensitive CUI data denoted as CMMC Level 2 will require a verification check done by a certified third-party assessor organization (C3PAO), while CUI documents considered CMMC Level 3 will require certification from the Defense Industrial Base Cybersecurity Assessment Center (DIPAC)."
Editor's Note
[Neely]
I know some of you have told me that CMMC doesn’t apply to you because reasons; this is a move to thwart those claims. Time to delve in and figure out how you meet CMMC, to include which level applies.
[Dukes]
CMMC is upon us, and the Certification Industrial Complex rejoices. The bottom line is that it’s still based off NIST 800-171, which was a DoD requirement before CMMC. Unfortunately, DoD wasn’t more of a demanding customer; all they've done is raise the cost to the DoD for goods and services.
Read more in:
- defensescoop.com: Pentagon to officially implement CMMC requirements in contracts by Nov. 10
- www.govinfosecurity.com: Pentagon Releases Long-Awaited Contractor Cybersecurity Rule
- www.theregister.com: New cybersecurity rules land for Defense Department contractors
- www.federalregister.gov: Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) | |
|
|
British Rail Operator LNER Discloses Customer Data Compromise
(September 10 & 11, 2025)
UK rail operator London North Eastern Railway (LNER) has disclosed a data security breach that compromised customer data, including contact information and some travel details. The incident occurred on the system of an as-yet unidentified third-party supplier. LNER says the incident has not affected ticket sales or train operations. They do caution customers to be wary "of unsolicited communications, especially those asking for personal information. If in doubt, do not respond." LNER is a "government-owned company that runs east coast services between London and Scotland."
Editor's Note
[Neely]
This is a third-party breach. The information taken, while not sensitive, is ideal for seeding phishing campaigns. This would be a good excuse to recheck your third-party security; verify rather than assume it’s where it should be, as well as making sure you are incorporating the latest trends in your anti-phishing protections and training.
[Dukes]
It seems like a weekly occurrence where a third party supplier has been compromised. Supply chain attacks are having a moment. Organizations should revisit their risk register and revalidate the cybersecurity review of suppliers. Also, do integrate guidance on unsolicited communications into your cybersecurity awareness training. | |
|
|
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, September 12, 2025
DShield SIEM Update; Another SonicWall Warning; Website Keystroke Logging
https://isc.sans.edu/podcastdetail/9610
DShield SIEM Docker Updates
Guy updated the “DShield SIEM” which graphically summarizes what is happening inside your honeypot.
https://isc.sans.edu/diary
Again: SonicWall SSL VPN Compromises
The Australian Government’s Signals Directorate noted an increase in compromised SonicWall devices.
https://www.cyber.gov.au
Website Keystroke Logging
Many websites log every keystroke, not just data submitted in forms.
https://arxiv.org (PDF) | |
SANS Internet Storm Center StormCast Thursday, September 11, 2025
BASE64 in DNS; Google Chrome, Ivanti and Sophos Patches; Apple Memory Integrity Feature
https://isc.sans.edu/podcastdetail/9608
BASE64 Over DNS
The base64 character set exceeds what is allowable in DNS. However, some implementations will work even with these “invalid” characters.
https://isc.sans.edu/diary
Google Chrome Update
Google released an update for Google Chrome, addressing two vulnerabilities. One of the vulnerabilities is rated critical and may allow code execution.
https://chromereleases.googleblog.com
Ivanti Updates
Ivanti patched a number of vulnerabilities, several of them critical, across its product portfolio.
https://forums.ivanti.com
Sophos Patches
Sophos resolved authentication bypass vulnerability in Sophos AP6 series wireless access point firmware (CVE-2025-10159)
https://www.sophos.com
Apple Introduces Memory Integrity Enforcement
With the new hardware promoted in yesterday’s event, Apple also introduced new memory integrity features based on this new hardware.
https://security.apple.com/blog | |
SANS Internet Storm Center StormCast StormCast Wednesday, September 10, 2025
Microsoft Patch Tuesday; Adobe Patches; SAP Patches
https://isc.sans.edu/podcastdetail/9606
Microsoft Patch Tuesday
As part of its September patch Tuesday, Microsoft addressed 177 different vulnerabilities, 86 of which affect Microsoft products. None of the vulnerabilities has been exploited before today. Two of the vulnerabilities were already made public. Microsoft rates 13 of the vulnerabilities are critical.
https://isc.sans.edu/diary
Adobe Patches
Adobe released patches for nine products, including Adobe Commerce, Coldfusion, and Acrobat.
https://helpx.adobe.com/security
SAP Patches
SAP patched vulnerabilities across its product portfolio. Particularly interesting are a few critical vulnerabilities in Netweaver, one of which scored a perfect 10.0 CVSS score.
https://onapsis.com/blog | |
|
|
|
