SANS Stormcast Summary – Monday, November 3rd, 2025

Episode Overview

In this episode, host Johannes B. Ullrich provides a concise but information-dense update on three major topics in cybersecurity: an uptick in scans targeting Microsoft Windows Server Update Services (WSUS) ports following a recent vulnerability disclosure, details on the "BADCANDY" webshell implant affecting Cisco IOS XE devices, and recent malicious extension activity (plus improved security response) on the Open VSX extension marketplace. The content is designed to quickly get security professionals current on critical threats and defensive practices.

Key Discussion Points & Insights

1. Spike in Port 8530/8531 Scans After Microsoft WSUS Vulnerability

Background: Microsoft released an emergency update last week for WSUS to fix a remote code execution vulnerability that had already been exploited in the wild.
Increased Scanning Activity:
- Evidence: Significant increase in Internet scans on port 8530 (plain TCP) and 8531 (TCP, TLS).
  - "For the 8530 scan rates went up from about 800 or so a day all the way up to in excess of 3,500 and similar numbers for 8531, a little bit lower here. Only about 3,000 accounts here per day for 8531..." (Johannes, 01:16)
- Reason: The vulnerability and technical details are now public, leading both researchers and threat actors to search for exposed servers.
- Actor Highlight: The non-profit organization "Shadow Server" is actively scanning and notifying owners of exposed WAS (assumed typo for WSUS) servers.
Advice:
- Treat any exposed WSUS server as already discovered and potentially vulnerable.
- Take notifications about exposed services from researchers like Shadow Server seriously.

2. BADCANDY Implant Targeting Cisco IOS XE via Unpatched CVE-2023-2198

Summary: Australian Signals Directorate warns about the "BADCANDY" implant actively deployed to Cisco IOS XE devices that are still vulnerable to a two-year-old flaw (CVE-2023-2198).
Continued Exploitation:
- "This particular vulnerability has also priorly been exploited by for example Volt Typhoon that took over a number of telecom providers." (Johannes, 02:00)
- Despite being a high-profile, well-known bug, many devices remain unpatched.
Host’s Strong Recommendation:
- "Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised." (Johannes, 02:19)
- The vulnerability continues to be a target for advanced threat actors.

3. Malicious Extensions & Security Upgrades on Open VSX

Incident: Malicious extensions were published to the Open VSX store (extension registry for VS Code-derivative editors), some of which are popular among AI coding practitioners.
- Technique: Malicious code hidden using Unicode whitespace, making it invisible even to developers auditing the code. Later variants also used concealed dependencies.
- "The problem with these extensions was that they included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code." (Johannes, 03:00)
Response by Open VSX:
- Reduced Token Lifetime Limits: Shorter lifespans for access tokens.
  - "That's of course obviously a little bit controversial because how short you have to make them to actually matter." (Johannes, 03:34)
- Easier Token Revocation: Allow developers to more swiftly revoke tokens if compromised.
- Publication Security Scanning: Improved detection of Unicode exploit techniques during extension submission.
  - "...it should be relatively straightforward to identify them automatically. So that would be a nice touch here if some of these extensions would be scanned before they actually end up in the extension store." (Johannes, 03:54)
- Community Collaboration: Open VSX encourages broader cooperation to detect and respond to malicious activity.
- Impact Note: The actual scope of compromise is hard to measure and possibly "somewhat exaggerated."
  - "How many people actually not just downloaded these extensions, but actually used those extensions and were then affected by the malicious code embedded? That's of course always subject to debate..." (Johannes, 04:28)

Notable Quotes & Memorable Moments

On the importance of patching:

"Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised."
— Johannes B. Ullrich, [02:19]
On the opacity of the malicious VSX extensions:

"...included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code."
— Johannes B. Ullrich, [03:00]
On the controversy of token expiration policies:

"That's of course obviously a little bit controversial because how short you have to make them to actually matter."
— Johannes B. Ullrich, [03:34]

Important Timestamps

00:04: Episode introduction and sponsorship
01:16: Surge in port 8530/8531 scanning traffic
01:56: Shadow Server and researcher notification efforts
02:00: BADCANDY/Cisco IOS XE vulnerability background and Volt Typhoon reference
02:19: Host’s admonition on patching responsibility
03:00: Details of malicious Unicode-based extensions in Open VSX
03:34: Discussion of token policy updates and security improvements
03:54: Improved publication security and community collaboration
04:28: Scale of the malicious extension incident

Summary

Johannes B. Ullrich’s Monday briefing stresses the rapid pace of exploit attempts following public vulnerability disclosures (in both Microsoft WSUS and Cisco IOS XE), warns about the seriousness of leaving infrastructure unpatched, and outlines lessons and upcoming changes following a sophisticated attack on the Open VSX extension store. Highlights include actionable advice for defenders, insight into attacker techniques (like Unicode whitespace obfuscation), and a practical look at how the community and registry maintainers are evolving to address emerging supply chain risks.

SANS Stormcast Summary – Monday, November 3rd, 2025

Episode Overview

Key Discussion Points & Insights

1. Spike in Port 8530/8531 Scans After Microsoft WSUS Vulnerability

Background: Microsoft released an emergency update last week for WSUS to fix a remote code execution vulnerability that had already been exploited in the wild.
Increased Scanning Activity:
- Evidence: Significant increase in Internet scans on port 8530 (plain TCP) and 8531 (TCP, TLS).
  - "For the 8530 scan rates went up from about 800 or so a day all the way up to in excess of 3,500 and similar numbers for 8531, a little bit lower here. Only about 3,000 accounts here per day for 8531..." (Johannes, 01:16)
- Reason: The vulnerability and technical details are now public, leading both researchers and threat actors to search for exposed servers.
- Actor Highlight: The non-profit organization "Shadow Server" is actively scanning and notifying owners of exposed WAS (assumed typo for WSUS) servers.
Advice:
- Treat any exposed WSUS server as already discovered and potentially vulnerable.
- Take notifications about exposed services from researchers like Shadow Server seriously.

2. BADCANDY Implant Targeting Cisco IOS XE via Unpatched CVE-2023-2198

Summary: Australian Signals Directorate warns about the "BADCANDY" implant actively deployed to Cisco IOS XE devices that are still vulnerable to a two-year-old flaw (CVE-2023-2198).
Continued Exploitation:
- "This particular vulnerability has also priorly been exploited by for example Volt Typhoon that took over a number of telecom providers." (Johannes, 02:00)
- Despite being a high-profile, well-known bug, many devices remain unpatched.
Host’s Strong Recommendation:
- "Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised." (Johannes, 02:19)
- The vulnerability continues to be a target for advanced threat actors.

3. Malicious Extensions & Security Upgrades on Open VSX

Incident: Malicious extensions were published to the Open VSX store (extension registry for VS Code-derivative editors), some of which are popular among AI coding practitioners.
- Technique: Malicious code hidden using Unicode whitespace, making it invisible even to developers auditing the code. Later variants also used concealed dependencies.
- "The problem with these extensions was that they included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code." (Johannes, 03:00)
Response by Open VSX:
- Reduced Token Lifetime Limits: Shorter lifespans for access tokens.
  - "That's of course obviously a little bit controversial because how short you have to make them to actually matter." (Johannes, 03:34)
- Easier Token Revocation: Allow developers to more swiftly revoke tokens if compromised.
- Publication Security Scanning: Improved detection of Unicode exploit techniques during extension submission.
  - "...it should be relatively straightforward to identify them automatically. So that would be a nice touch here if some of these extensions would be scanned before they actually end up in the extension store." (Johannes, 03:54)
- Community Collaboration: Open VSX encourages broader cooperation to detect and respond to malicious activity.
- Impact Note: The actual scope of compromise is hard to measure and possibly "somewhat exaggerated."
  - "How many people actually not just downloaded these extensions, but actually used those extensions and were then affected by the malicious code embedded? That's of course always subject to debate..." (Johannes, 04:28)

Notable Quotes & Memorable Moments

On the importance of patching:

"Having them not patched now for two years, well, it's probably not really excusable at this point. And if you are finding devices that are not patched for that amount of time, well then by all means consider them compromised."
— Johannes B. Ullrich, [02:19]
On the opacity of the malicious VSX extensions:

"...included malicious code that was actually encoded using Unicode characters that were rendered as a white space. So as a developer, if you even would have bothered to review those extensions, you would have only seen sort of empty lines instead of actual malicious code."
— Johannes B. Ullrich, [03:00]
On the controversy of token expiration policies:

"That's of course obviously a little bit controversial because how short you have to make them to actually matter."
— Johannes B. Ullrich, [03:34]

Important Timestamps

00:04: Episode introduction and sponsorship
01:16: Surge in port 8530/8531 scanning traffic
01:56: Shadow Server and researcher notification efforts
02:00: BADCANDY/Cisco IOS XE vulnerability background and Volt Typhoon reference
02:19: Host’s admonition on patching responsibility
03:00: Details of malicious Unicode-based extensions in Open VSX
03:34: Discussion of token policy updates and security improvements
03:54: Improved publication security and community collaboration
04:28: Scale of the malicious extension incident

wavePod

SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements

Powered by Wave AI

Summary

SANS Stormcast Summary – Monday, November 3rd, 2025

Episode Overview

Key Discussion Points & Insights

1. Spike in Port 8530/8531 Scans After Microsoft WSUS Vulnerability

2. BADCANDY Implant Targeting Cisco IOS XE via Unpatched CVE-2023-2198

3. Malicious Extensions & Security Upgrades on Open VSX

Notable Quotes & Memorable Moments

Important Timestamps

Summary

Summary

SANS Stormcast Summary – Monday, November 3rd, 2025

Episode Overview

Key Discussion Points & Insights

1. Spike in Port 8530/8531 Scans After Microsoft WSUS Vulnerability

2. BADCANDY Implant Targeting Cisco IOS XE via Unpatched CVE-2023-2198

3. Malicious Extensions & Security Upgrades on Open VSX

Notable Quotes & Memorable Moments

Important Timestamps

Summary