SANS Stormcast – Monday, October 27, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Main Theme & Purpose

This episode, hosted by Johannes B. Ullrich, covers breaking topics in cybersecurity including the rise of bilingual phishing campaigns, the release of a new web-based malware analysis tool (Kaitai Struct WebIDE), an actively exploited vulnerability in WSUS (Windows Server Update Service), and concerns over long-standing vulnerabilities in security devices. The aim is to prepare listeners for the day with the most important network security events and insights.

Key Discussion Points & Insights

1. Bilingual Phishing Attacks (00:24–02:04)

Observation: From listener Guy, a French Canadian:
- Guy reports increased phishing emails arriving in both French and English, sometimes as near-identical copies.
- Importance: Highlights that attackers are targeting users in their native languages, not just English.
Johannes’s Insights:
- In multilingual regions (e.g., Canada), knowing the recipient's language can be tricky, so attackers hedge by using both major languages.
- Even in Germany, most phishing arrives in English, but native-language phishing generally has a "somewhat higher chance of success."
- Quote:
  
  "Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
  (Johannes, 01:41)

2. Kaitai Struct WebIDE for Malware Analysis (02:05–03:10)

Diary from Didier: Recently attended Hack Lu conference, saw a demo of Kaitai Struct's new WebIDE.
What is Kaitai Struct WebIDE?
- A browser-based, JavaScript-implemented tool for analyzing binary formats, useful in malware analysis.
- No installation required; easy access for occasional malware analysts.
- Draws a comparison to CyberChef:
  - Similar in accessibility and flexibility, but with a stronger focus on binary structure analysis rather than file conversions.
- Quote:
  
  "Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
  (Johannes, 02:46)

3. Active Exploitation of WSUS Vulnerability and Emergency Patch (03:11–04:11)

Update: The recently disclosed vulnerability in the Windows Server Update Service (WSUS) is now being exploited in the wild (reported by Huntress).
Microsoft has released a patch:
- Even Windows Server 2019 received an update for this (released on Friday).
- Microsoft’s advisory contains further details.
Impact:
- The vulnerability does not require authentication.
- Allows arbitrary code execution on update servers.
- Compromised WSUS servers could distribute malicious updates to all connected clients, expanding the risk to the entire enterprise network.
- Quote:
  
  "It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
  (Johannes, 03:39)
Recommendation:
- Immediate patching is strongly advised.
- Most WSUS servers aren’t internet-exposed, but this is high priority.

4. Concerns Over Old Flaws in Network Security Devices (04:12–05:23)

CSO Online Article Recap: Reflects on recurring vulnerabilities in devices supposedly securing networks (e.g., firewalls, VPNs).
“90s Era Flaws”:
- Attackers are exploiting old and often simple vulnerabilities.
- Quote:
  
  "We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
  (Johannes, 04:21)
Statistics Cited (from MITRE, via CSO Online):
- About 1/3 of attacks begin with an attack on a network security device.
- Only ~16% (about half that number) start via phishing.
- Quote:
  
  "We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
  (Johannes, 04:54)
Takeaway:
- Enterprise security devices can introduce new risks if not maintained.
- Need constant vigilance and patching:
  
  "Definitely something to pay attention to and yes, as always, keep those devices patched. I think every week we have a new vulnerability here."
  (Johannes, 05:11)

Notable Quotes & Memorable Moments

On the effectiveness of native-language phishing:

"Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
(Johannes, 01:41)
On Kaitai Struct WebIDE vs. CyberChef:

"Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
(Johannes, 02:46)
On the WSUS vulnerability stakes:

"It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
(Johannes, 03:39)
On network security device flaws:

"We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
(Johannes, 04:21)
On shifting attack patterns:

"We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
(Johannes, 04:54)

Timestamps for Important Segments

| Timestamp | Topic/Section | |------------|---------------------------------------------| | 00:24 | Bilingual phishing reports from Canada | | 02:05 | Kaitai Struct WebIDE for malware analysis | | 03:11 | WSUS vulnerability: exploitation & patch | | 04:12 | Flaws in network security devices; CSO Article stats |

Summary

Johannes B. Ullrich's Monday, October 27th Stormcast succinctly spotlights:

The evolving sophistication of phishing, now routinely targeting users in their native tongues
New, accessible tools for binary analysis like Kaitai Struct WebIDE
A critical Windows Server Update Service exploit requiring immediate attention
The ongoing risk from unpatched, vulnerable security devices, which are now a major entry point for attackers—often through surprisingly old, “90s era” vulnerabilities

The episode is a clear call for vigilance—patching both enterprise infrastructure and security devices—while also highlighting useful tools and current attacker tactics.

SANS Stormcast – Monday, October 27, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Main Theme & Purpose

Key Discussion Points & Insights

1. Bilingual Phishing Attacks (00:24–02:04)

Observation: From listener Guy, a French Canadian:
- Guy reports increased phishing emails arriving in both French and English, sometimes as near-identical copies.
- Importance: Highlights that attackers are targeting users in their native languages, not just English.
Johannes’s Insights:
- In multilingual regions (e.g., Canada), knowing the recipient's language can be tricky, so attackers hedge by using both major languages.
- Even in Germany, most phishing arrives in English, but native-language phishing generally has a "somewhat higher chance of success."
- Quote:
  
  "Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
  (Johannes, 01:41)

2. Kaitai Struct WebIDE for Malware Analysis (02:05–03:10)

Diary from Didier: Recently attended Hack Lu conference, saw a demo of Kaitai Struct's new WebIDE.
What is Kaitai Struct WebIDE?
- A browser-based, JavaScript-implemented tool for analyzing binary formats, useful in malware analysis.
- No installation required; easy access for occasional malware analysts.
- Draws a comparison to CyberChef:
  - Similar in accessibility and flexibility, but with a stronger focus on binary structure analysis rather than file conversions.
- Quote:
  
  "Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
  (Johannes, 02:46)

3. Active Exploitation of WSUS Vulnerability and Emergency Patch (03:11–04:11)

Update: The recently disclosed vulnerability in the Windows Server Update Service (WSUS) is now being exploited in the wild (reported by Huntress).
Microsoft has released a patch:
- Even Windows Server 2019 received an update for this (released on Friday).
- Microsoft’s advisory contains further details.
Impact:
- The vulnerability does not require authentication.
- Allows arbitrary code execution on update servers.
- Compromised WSUS servers could distribute malicious updates to all connected clients, expanding the risk to the entire enterprise network.
- Quote:
  
  "It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
  (Johannes, 03:39)
Recommendation:
- Immediate patching is strongly advised.
- Most WSUS servers aren’t internet-exposed, but this is high priority.

4. Concerns Over Old Flaws in Network Security Devices (04:12–05:23)

CSO Online Article Recap: Reflects on recurring vulnerabilities in devices supposedly securing networks (e.g., firewalls, VPNs).
“90s Era Flaws”:
- Attackers are exploiting old and often simple vulnerabilities.
- Quote:
  
  "We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
  (Johannes, 04:21)
Statistics Cited (from MITRE, via CSO Online):
- About 1/3 of attacks begin with an attack on a network security device.
- Only ~16% (about half that number) start via phishing.
- Quote:
  
  "We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
  (Johannes, 04:54)
Takeaway:
- Enterprise security devices can introduce new risks if not maintained.
- Need constant vigilance and patching:
  
  "Definitely something to pay attention to and yes, as always, keep those devices patched. I think every week we have a new vulnerability here."
  (Johannes, 05:11)

Notable Quotes & Memorable Moments

On the effectiveness of native-language phishing:

"Whenever there is one in a person's native language, if that's not English, that of course has a somewhat higher chance of success."
(Johannes, 01:41)
On Kaitai Struct WebIDE vs. CyberChef:

"Feels a little bit like CyberChef, but of course more with the focus on binary analysis."
(Johannes, 02:46)
On the WSUS vulnerability stakes:

"It does allow for arbitrary code execution on your update server. And with that it also then allows the compromised update server to of course push malicious updates to any client that does pull updates from this update server."
(Johannes, 03:39)
On network security device flaws:

"We see more and more attacks that actually exploit vulnerabilities in network security devices that, well, are, as the title of the article says, 90s era flaws."
(Johannes, 04:21)
On shifting attack patterns:

"We spend a lot of effort on preventing and fighting phishing... maybe the fight actually made it that it's no longer sort of your number one problem."
(Johannes, 04:54)

Timestamps for Important Segments

Summary

Johannes B. Ullrich's Monday, October 27th Stormcast succinctly spotlights:

The evolving sophistication of phishing, now routinely targeting users in their native tongues
New, accessible tools for binary analysis like Kaitai Struct WebIDE
A critical Windows Server Update Service exploit requiring immediate attention
The ongoing risk from unpatched, vulnerable security devices, which are now a major entry point for attackers—often through surprisingly old, “90s era” vulnerabilities

The episode is a clear call for vigilance—patching both enterprise infrastructure and security devices—while also highlighting useful tools and current attacker tactics.

wavePod

SANS Stormcast Monday, October 27th, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Powered by Wave AI

Summary

SANS Stormcast – Monday, October 27, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Main Theme & Purpose

Key Discussion Points & Insights

1. Bilingual Phishing Attacks (00:24–02:04)

2. Kaitai Struct WebIDE for Malware Analysis (02:05–03:10)

3. Active Exploitation of WSUS Vulnerability and Emergency Patch (03:11–04:11)

4. Concerns Over Old Flaws in Network Security Devices (04:12–05:23)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary

Summary

SANS Stormcast – Monday, October 27, 2025: Bilingual Phishing; Kaitai Struct WebIDE

Main Theme & Purpose

Key Discussion Points & Insights

1. Bilingual Phishing Attacks (00:24–02:04)

2. Kaitai Struct WebIDE for Malware Analysis (02:05–03:10)

3. Active Exploitation of WSUS Vulnerability and Emergency Patch (03:11–04:11)

4. Concerns Over Old Flaws in Network Security Devices (04:12–05:23)

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Summary