Summary3 min read

SANS Stormcast — Episode Summary

Date: Friday, October 31, 2025
Host: Johannes B. Ullrich
Episode Focus: Bug Bounty Headers, Exchange Server Hardening, New MOVEit Vulnerability, and Proton’s Data Breach Observatory

Episode Overview

In this concise daily roundup, Johannes B. Ullrich reviews significant security news and developments, focusing today on new HTTP headers connected to bug bounty traffic, the launch of Proton’s Data Breach Observatory, recent guidance for hardening Microsoft Exchange, and a fresh MOVEit vulnerability that admins should address promptly.

Key Discussion Points & Insights

1. Bug Bounty HTTP Request Headers Observed in Honeypots

[00:25] Johannes noticed unusual HTTP request headers in SANS honeypot logs.
- Examples include an x-request-purpose: research header, and headers unique to programs like HackerOne and Bugcrowd.
- Purpose: Designed to help organizations identify benign bug bounty scanning activity.
- Caveats:
  - It’s easy to impersonate a researcher by adding these headers.
  - Not all legitimate bug hunters will use these headers.
  - The effectiveness as a filtering or security control is greatly limited.
Notable Quote:

"Nothing is guaranteed. It's very easy for someone, of course, to impersonate a researcher using those headers."
— Johannes B. Ullrich [00:44]
Usage: Some companies hope these headers allow for outreach if bug hunting activity causes issues, such as denial of service.

2. Proton Launches Data Breach Observatory

[01:35] Proton (of Proton Mail & VPN fame) unveiled a project aiming to reveal:
- Breaches not publicly reported or even unknown to victim orgs.
- Initial website lists about 800 breaches so far.
- Victim Demographics: Retail and small-to-medium businesses (SMBs) are most frequently affected.
Challenge for SMBs:
- They often lack the resources to detect breaches.
- Some may try to remain quiet, hoping to avoid media attention and fallout.
Methodology:
- Observatory compiles info from various dark web sources.
Johannes’s Perspective:

"In the past, sadly, I've often observed that actually the best thing a company can do is not to talk about the breach, because then the news won't pick up on it..."
— Johannes B. Ullrich [02:16]
Expectation: Hopes Proton will notify affected companies.

3. New Microsoft Exchange Server Security Best Practices Guidance

[03:10] Joint effort by US, Canada, and Australia government cyber agencies.
- Document offers a high-level review, not deep technical detail.
- Best Feature: An extensive list of references for further guidance.
  - Covers aspects like proper authentication, Kerberos, and version support.
Reminders:
- Avoid using end-of-life Exchange versions.
- Recent end-of-life changes and patch requirements mentioned.
Notable mention:

"It sort of just covers different topics that you should consider as you are configuring and maintaining Exchange. But the real value I find in this document is the long list of references..."
— Johannes B. Ullrich [03:16]

4. MOVEit Transfer Vulnerability Alert

[04:00] Progress, the vendor, released a patch for a newly discovered vulnerability.
- Nature: Uncontrolled resource consumption (potential arbitrary code execution).
- Impact: MOVEit has seen significant exploitation, including ransomware attacks.
- Urgency: Though not rated “critical” (CVSS 8.2, high), needs attention before the weekend.
- Uncertainties:
  - No public detail on required authentication or avenues of exploitation; likely webshell-upload route.
Advice:
- Follow vendor guidance and patch as soon as possible.

Notable Quotes & Memorable Moments

On Bug Bounty Headers:

"I think the value of it is overall limited and certainly nothing that should be used to filter or not filter certain requests."
— Johannes B. Ullrich [01:20]
On Small Business Breach Reporting:

"They may feel like they can sort of slip underneath the radar...the best thing a company can do is not to talk about the breach, because then the news won't pick up on it typically, in particular for smaller companies like this."
— Johannes B. Ullrich [02:18]
On MOVEit urgency:

"MoveIt has been the target of compromise in the past and has been used to compromise networks for ransomware and the like."
— Johannes B. Ullrich [04:09]

Timestamps for Important Segments

Bug Bounty Headers in Honeypots: [00:25]
Proton’s Data Breach Observatory: [01:35]
Exchange Hardening Guidance: [03:10]
MOVEit Transfer Vulnerability: [04:00]

Tone & Delivery

Johannes delivers his insights with a pragmatic, occasionally skeptical tone, emphasizing the nuances and limitations of each security measure discussed. His advice is straightforward and actionable, aimed at helping security professionals prioritize their responses to the week’s most pressing threats.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, October 31, 2025 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulbricht, recording today from Jacksonville, Florida, and this episode is brought to you by the Sans Edu Graduate Certificate Program in Cybersecurity Leadership. This week I noticed some new HTTP request headers in our honeypot logs and these HTTP request headers are related to bug bounty programs. There is an xrequest purpose header. The value is just research for this header and then also specific headers for specific bug bounty programs like HackerOne and Bugcrowd. There are a couple of bug bounties that I was able to find that actually ask researchers to use these specific headers. As always, when you talk request headers like this, nothing is guaranteed. It's very easy for someone, of course to impersonate a researcher using those headers. And then of course there is no guarantee that researchers will actually use these headers as they're conducting scans for their bug bounty research. I assume that companies participating in these bug bounty programs try to use these headers to maybe figure out how many of the requests that they're seeing are related to bug bounties, and at least to be able to notify researchers that are well behaved that are actually using the correct headers in case something is going wrong here, in case they're like a denial of service or something like this so they can reach out to the researcher and ask them maybe to stop their scans or throttle them as necessary. Interesting curiosity here. I think the value of it is overall limited and certainly nothing that should be used to filter or not filter certain requests. And Proton, the company behind the Proton email service as well as the Proton vpn, has now come up with an interesting new project and that's the Data Breach Observatory. The goal of this data Breach Observatory is to shed a light on breaches that may not have been reported to public or where the breached entity is actually even unaware themselves that they got breached. They have the initial website up here and so far they have about 800 breaches listed. They say the top businesses that they're seeing exposed here are retail in particular, but then also small medium sized businesses, which I believe these are common targets. And of course particular small medium sized businesses may either not have the capability to actually detect the attack and a breach, or they may feel like they can sort of slip underneath the radar. In the past, sadly, I've often observed that actually the best thing a company can do is not to talk about the breach, because then the news won't pick up on it typically in particular for smaller companies like this, and the breach will overall go unnoticed without too much impact on the company itself. So interesting approach here. They're claiming they're looking at various dark web sources in order to compile that data. We'll have to see how it all works out. And I hope they at the very least are notifying and contacting any organizations that they find breached here. And government cybersecurity agencies from the us, Canada and Australia have collaborated on a pretty neat document, Microsoft Exchange Server Security Best Practices. The document is not very much in depth, it sort of just covers different topics that you should consider as you are configuring and maintaining Exchange. But the real value I find in this document is the long list of references that then leads you to additional guidelines on how to accomplish some of the suggested things like configuring authentication correctly, enabling Kerberos, and doing all the other good things with a Microsoft Exchange server. It has been a huge target in the past, of course. One of the items on the list here is also make sure that you're not using an end of life version of Microsoft Exchange, which of course we just had the issue where 2019 and such did become end of life with the last Microsoft patch Tuesday and then we have a new patch for users of MoveIt Transfer. The reason I mention it today is that this is probably something that you may want to get a handle on before the weekend. MoveIt has been the target of compromise in the past and has been used to compromise networks for ransomware and the like. There is very little detail about this vulnerability. It just says of an uncontrolled research resource consumption vulnerability. It does imply that it's possible to execute arbitrary code with this vulnerability. It's likely sort of one of those web shell style vulnerabilities where you can upload a web shell and execute it. Hard to tell whether or not it does require authentication or not. They did assign it a css score of 8.2, which is high. It's not critical. Still something that you probably want to get and follow here. Progress's guidance in how to address this vulnerability. Well, and that's it for today. So thanks again for listening. Thanks for liking and subscribing to this podcast and as always, talk to you again on Monday. Bye.