Summary4 min read

SANS Stormcast – Monday, October 27, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Main Theme & Purpose

This episode, hosted by Johannes B. Ullrich, covers breaking topics in cybersecurity including the rise of bilingual phishing campaigns, the release of a new web-based malware analysis tool (Kaitai Struct WebIDE), an actively exploited vulnerability in WSUS (Windows Server Update Service), and concerns over long-standing vulnerabilities in security devices. The aim is to prepare listeners for the day with the most important network security events and insights.

Key Discussion Points & Insights

1. Bilingual Phishing Attacks (00:24–02:04)

Observation: From listener Guy, a French Canadian:
- Guy reports increased phishing emails arriving in both French and English, sometimes as near-identical copies.
- Importance: Highlights that attackers are targeting users in their native languages, not just English.
Johannes’s Insights:
- In multilingual regions (e.g., Canada), knowing the recipient's language can be tricky, so attackers hedge by using both major languages.
- Even in Germany, most phishing arrives in English, but native-language phishing generally has a "somewhat higher chance of success."
- Quote:
  
  "Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
  (Johannes, 01:41)

2. Kaitai Struct WebIDE for Malware Analysis (02:05–03:10)

Diary from Didier: Recently attended Hack Lu conference, saw a demo of Kaitai Struct's new WebIDE.
What is Kaitai Struct WebIDE?
- A browser-based, JavaScript-implemented tool for analyzing binary formats, useful in malware analysis.
- No installation required; easy access for occasional malware analysts.
- Draws a comparison to CyberChef:
  - Similar in accessibility and flexibility, but with a stronger focus on binary structure analysis rather than file conversions.
- Quote:
  
  "Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
  (Johannes, 02:46)

3. Active Exploitation of WSUS Vulnerability and Emergency Patch (03:11–04:11)

Update: The recently disclosed vulnerability in the Windows Server Update Service (WSUS) is now being exploited in the wild (reported by Huntress).
Microsoft has released a patch:
- Even Windows Server 2019 received an update for this (released on Friday).
- Microsoft’s advisory contains further details.
Impact:
- The vulnerability does not require authentication.
- Allows arbitrary code execution on update servers.
- Compromised WSUS servers could distribute malicious updates to all connected clients, expanding the risk to the entire enterprise network.
- Quote:
  
  "It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
  (Johannes, 03:39)
Recommendation:
- Immediate patching is strongly advised.
- Most WSUS servers aren’t internet-exposed, but this is high priority.

4. Concerns Over Old Flaws in Network Security Devices (04:12–05:23)

CSO Online Article Recap: Reflects on recurring vulnerabilities in devices supposedly securing networks (e.g., firewalls, VPNs).
“90s Era Flaws”:
- Attackers are exploiting old and often simple vulnerabilities.
- Quote:
  
  "We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
  (Johannes, 04:21)
Statistics Cited (from MITRE, via CSO Online):
- About 1/3 of attacks begin with an attack on a network security device.
- Only ~16% (about half that number) start via phishing.
- Quote:
  
  "We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
  (Johannes, 04:54)
Takeaway:
- Enterprise security devices can introduce new risks if not maintained.
- Need constant vigilance and patching:
  
  "Definitely something to pay attention to and yes, as always, keep those devices patched. I think every week we have a new vulnerability here."
  (Johannes, 05:11)

Notable Quotes & Memorable Moments

On the effectiveness of native-language phishing:

"Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
(Johannes, 01:41)
On Kaitai Struct WebIDE vs. CyberChef:

"Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
(Johannes, 02:46)
On the WSUS vulnerability stakes:

"It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
(Johannes, 03:39)
On network security device flaws:

"We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
(Johannes, 04:21)
On shifting attack patterns:

"We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
(Johannes, 04:54)

Timestamps for Important Segments

| Timestamp | Topic/Section | |------------|---------------------------------------------| | 00:24 | Bilingual phishing reports from Canada | | 02:05 | Kaitai Struct WebIDE for malware analysis | | 03:11 | WSUS vulnerability: exploitation & patch | | 04:12 | Flaws in network security devices; CSO Article stats |

Summary

Johannes B. Ullrich's Monday, October 27th Stormcast succinctly spotlights:

The evolving sophistication of phishing, now routinely targeting users in their native tongues
New, accessible tools for binary analysis like Kaitai Struct WebIDE
A critical Windows Server Update Service exploit requiring immediate attention
The ongoing risk from unpatched, vulnerable security devices, which are now a major entry point for attackers—often through surprisingly old, “90s era” vulnerabilities

The episode is a clear call for vigilance—patching both enterprise infrastructure and security devices—while also highlighting useful tools and current attacker tactics.

Loading summary

Transcript1 lines

[00:01]
A
Hello and welcome to the Monday, October 27, 2025 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida, and this episode is brought to you by the Sans Edu graduate Certificate program in Purple Team Operations. Got two diaries this weekend, first one from Guy. Guy being French Canadian, so his first language is French. French. He's actually seeing quite a few phishing emails coming in in French and then identical emails pretty much coming in in English. This is something that I've always a little bit wondered about, how much of the language of these phishing emails is targeted to the recipients. Of course, in particular in Canada, it's a little bit hard to tell if a particular person speaks French, doesn't speak French. But interesting that essentially the same email is being used for French as well as English. And well, I guess attackers are trying to appeal then more to speakers of French because they are often more used. I notice from Germany as well that the majority of phishing emails is in English. So whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success. And then we have a second diary this weekend from Didier. Didier attended recently the Hack Lu conference and at the conference he saw an interesting presentation from developers of Kitei Struct. This is a tool that is being used to analyze malware. Often it basically allows you to analyze various binary formats. Well, they now have a web IDE available that essentially implements everything in JavaScript and allows you without having to install any, any specific tool to simply just run. This cateye Struct tool looks pretty neat and I think particular for someone who is just occasionally doing some malware analysis. Probably a real nice tool to have. Feels a little bit like cyberchef, but of course more with the focus on binary analysis. While cyberchef is really just sort of for file conversion and the like. So there is some overlap between these tools, but for reverse analysis, definitely. Take a look at Kaitai, the web ide. And on Friday I mentioned the new vulnerability in the Windows Server Update Service or was. And this vulnerability is now first of all being exploited in the wild. Huntress published some data about that. Secondly, Microsoft on Friday did release a patch for this vulnerability for versions of Windows Server going back to 2019. So even Windows Server 2019 did get an update here for this Microsoft. Microsoft also published an advisory going with this update with additional details about this vulnerability. The big takeaway here is number one, it's being exploited actively it does not require authentication. It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server. So it's not not just affecting this update server, it's affecting the entire network that is using this particular update server and trusting this update server for updates. So that's really the big issue here. Most of these update servers are hopefully not exposed to the Internet, but definitely this is a high priority patch that you must install today if at all possible. And then CSO Online has a good article that summarizes something that I have been ranting about in the past. A few times actually. I think I mentioned it at one of the RSA keynotes. Couldn't find it anymore. So probably old enough long enough ago where Google sort of lost it. But the problem here is that we see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s area flaws. So very easy exploitable vulnerabilities that are being taken advantage of in devices that are supposed to actually make us more secure. One statistics that I think comes from MITRE here that's quoted in this article that I think particularly tells this story is that about a third of attacks are starting out or so the initial entry point now is an attack against a network security device. Only half of that, like 16% I think it was, is phishing. And we spent a lot of effort on preventing and fighting phishing probably still a good thing and maybe the fight actually made it that it's no longer sort of your number one problem. But really discouraging that these expensive enterprise security devices are really opening us up to more problems than they may fix in some cases. Definitely something to pay attention to and yes, as always, keep those devices patched. I think every week we have a new vulnerability here. The article also lists like some zero day vulnerabilities that had been exploited in these devices in the last two years. Well, and that's it for today. So thanks again for listening and thanks for recommending it. Thanks also to everybody who attended my talk in Augusta on Saturday. If it will be available online, I'm not sure I'll definitely note and link to it. And yeah, it's always good to run into people that reach out and let me know that they're listening because sitting here in my office and just talking to the camera and my dog, maybe a cat sitting on the desk here, well makes sort of. We wonder sometimes whether or not anybody's actually listening. So thanks and talk to you again tomorrow. Bye.