Summary5 min read

SANS Stormcast Summary – Monday, November 3rd, 2025

Episode Overview

In this episode, host Johannes B. Ullrich provides a concise but information-dense update on three major topics in cybersecurity: an uptick in scans targeting Microsoft Windows Server Update Services (WSUS) ports following a recent vulnerability disclosure, details on the "BADCANDY" webshell implant affecting Cisco IOS XE devices, and recent malicious extension activity (plus improved security response) on the Open VSX extension marketplace. The content is designed to quickly get security professionals current on critical threats and defensive practices.

Key Discussion Points & Insights

1. Spike in Port 8530/8531 Scans After Microsoft WSUS Vulnerability

Background: Microsoft released an emergency update last week for WSUS to fix a remote code execution vulnerability that had already been exploited in the wild.
Increased Scanning Activity:
- Evidence: Significant increase in Internet scans on port 8530 (plain TCP) and 8531 (TCP, TLS).
  - "For the 8530 scan rates went up from about 800 or so a day all the way up to in excess of 3,500 and similar numbers for 8531, a little bit lower here. Only about 3,000 accounts here per day for 8531..." (Johannes, 01:16)
- Reason: The vulnerability and technical details are now public, leading both researchers and threat actors to search for exposed servers.
- Actor Highlight: The non-profit organization "Shadow Server" is actively scanning and notifying owners of exposed WAS (assumed typo for WSUS) servers.
Advice:
- Treat any exposed WSUS server as already discovered and potentially vulnerable.
- Take notifications about exposed services from researchers like Shadow Server seriously.

2. BADCANDY Implant Targeting Cisco IOS XE via Unpatched CVE-2023-2198

Summary: Australian Signals Directorate warns about the "BADCANDY" implant actively deployed to Cisco IOS XE devices that are still vulnerable to a two-year-old flaw (CVE-2023-2198).
Continued Exploitation:
- "This particular vulnerability has also priorly been exploited by for example Volt Typhoon that took over a number of telecom providers." (Johannes, 02:00)
- Despite being a high-profile, well-known bug, many devices remain unpatched.
Host’s Strong Recommendation:
- "Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised." (Johannes, 02:19)
- The vulnerability continues to be a target for advanced threat actors.

3. Malicious Extensions & Security Upgrades on Open VSX

Incident: Malicious extensions were published to the Open VSX store (extension registry for VS Code-derivative editors), some of which are popular among AI coding practitioners.
- Technique: Malicious code hidden using Unicode whitespace, making it invisible even to developers auditing the code. Later variants also used concealed dependencies.
- "The problem with these extensions was that they included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code." (Johannes, 03:00)
Response by Open VSX:
- Reduced Token Lifetime Limits: Shorter lifespans for access tokens.
  - "That's of course obviously a little bit controversial because how short you have to make them to actually matter." (Johannes, 03:34)
- Easier Token Revocation: Allow developers to more swiftly revoke tokens if compromised.
- Publication Security Scanning: Improved detection of Unicode exploit techniques during extension submission.
  - "...it should be relatively straightforward to identify them automatically. So that would be a nice touch here if some of these extensions would be scanned before they actually end up in the extension store." (Johannes, 03:54)
- Community Collaboration: Open VSX encourages broader cooperation to detect and respond to malicious activity.
- Impact Note: The actual scope of compromise is hard to measure and possibly "somewhat exaggerated."
  - "How many people actually not just downloaded these extensions, but actually used those extensions and were then affected by the malicious code embedded? That's of course always subject to debate..." (Johannes, 04:28)

Notable Quotes & Memorable Moments

On the importance of patching:

"Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised."
— Johannes B. Ullrich, [02:19]
On the opacity of the malicious VSX extensions:

"...included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code."
— Johannes B. Ullrich, [03:00]
On the controversy of token expiration policies:

"That's of course obviously a little bit controversial because how short you have to make them to actually matter."
— Johannes B. Ullrich, [03:34]

Important Timestamps

00:04: Episode introduction and sponsorship
01:16: Surge in port 8530/8531 scanning traffic
01:56: Shadow Server and researcher notification efforts
02:00: BADCANDY/Cisco IOS XE vulnerability background and Volt Typhoon reference
02:19: Host’s admonition on patching responsibility
03:00: Details of malicious Unicode-based extensions in Open VSX
03:34: Discussion of token policy updates and security improvements
03:54: Improved publication security and community collaboration
04:28: Scale of the malicious extension incident

Summary

Johannes B. Ullrich’s Monday briefing stresses the rapid pace of exploit attempts following public vulnerability disclosures (in both Microsoft WSUS and Cisco IOS XE), warns about the seriousness of leaving infrastructure unpatched, and outlines lessons and upcoming changes following a sophisticated attack on the Open VSX extension store. Highlights include actionable advice for defenders, insight into attacker techniques (like Unicode whitespace obfuscation), and a practical look at how the community and registry maintainers are evolving to address emerging supply chain risks.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, November 3, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS EDU Undergraduate Certificate Program in Cybersecurity Fundamentals. It was just about a week ago that we got from Microsoft the emergency update for the Windows Server Update Service. This update fixed an already at the time exploited vulnerability that can lead to remote code execution. Well, since the vulnerability now has been made public and also additional details about the vulnerability have been made public, we have seen in our sensors an increase in Scans for port 8530 and 8531, which are the two ports that are associated with WAS. The first one is just plain TCP. The second one is then also TCP, but with TLS for the 8530 scan rates went up from about 800 or so a day all the way up to in excess of 3,500 and similar numbers for 8,531, a little bit lower here. Only about 3,000 accounts here per day for 8,531, which is probably just because it's a little bit slower to scan TLS if you actually want to go through the TLS handshake. So assume that if you haven't exposed the WAS server, it has been found by now. Now many of these SC are being done by researchers. I saw Shadow Server for example, in our data doing some of these scans. Shadow Server will attempt to notify entities of exposed servers. So please take those notifications serious. The Australian Signals Directorate has published an advisory noting that an implant that they're calling Bad Candy is being deployed to Cisco iOS XE devices that are still vulnerable to CVE 2023, 2198. So this is a 2023 vulnerability. Apparently it's still not patched. This particular vulnerability has also priorly been exploited by for example Volt Typhoon that took over a number of telecom providers. So definitely, you know, make sure your Cisco devices are up to date. And having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromise Again, this vulnerability has been used by a number of high profile threat actors and of course details about the vulnerability and exploitation of it have been disseminated ever since the last few weeks. We had a couple of incidents where malicious extensions were published to the OpenVSX store. This is the extension store where you can download extensions for Visual Studio code derived editors, like some of them that are popular, for example, sort of in the AI coding community. The problem with these extensions was that they included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code. There was later also a variant that used this for dependencies in order to hide exactly what dependencies are being loaded in code. But the reason this particular warm was also referred to as class warm was that part of it was invented visible. Well, OpenVSX now responded to this incident and did share a couple of things that they're going to do to actually improve their registry. One is pretty straightforward, reduce the token lifetime limits. That's of course obviously a little bit controversial because how short you have to make them to actually matter. Then also make it easier to revoke tokens. That is important if the developer realizes tokens were stolen, that they can easier cut off access to those tokens. And I think probably most important here is the third point, that they will improve the security scanning at publication. In particular, with these Unicode exploits and such, it should be relatively straightforward to identify them automatically. So that would be a nice touch here if some of these extensions would be scanned before they actually end up in the extension store. Yeah, and then they just ask for overall collaboration here in order to basically better identify these malicious extensions. They also state that the actual scale of the compromise may be somewhat exaggerated. That's of course always a big question. How many people actually not just downloaded these extensions, but actually used those extensions and were then affected by the malicious code embedded? That's of course always subject to debate, but ultimately really nice that they're reacting to it and that they're suggesting some reasonable ways to improve the security of these extensions. Well, and this is it for today. So thanks for listening, thanks for liking and recommending this podcast and talk to you again tomorrow. Bye. It.