SANS Stormcast – October 29, 2025: Episode Summary

Episode Theme:
Johannes B. Ullrich delivers a concise update on newly discovered cybersecurity vulnerabilities and phishing techniques, focusing on:

A new invisible subject character phishing method
A critical Apache Tomcat vulnerability
A proof-of-concept for BIND9 DNS spoofing
An OpenVPN code execution vulnerability
Each issue is broken down with practical security insights and recommendations for defenders.

1. Invisible Subject Character Phishing

[00:20 – 02:30]

Key Points:

Technique Highlighted: Attackers use "invisible" UTF-8 characters, especially the soft hyphen, within email subject lines to bypass phishing filters.
Traditional Approach: Previously, attackers inserted such characters into email bodies to break up keywords and escape detection.
What’s New: This obfuscation is now applied in the subject line, shown by Jan's research and diary post at SANS.
Impact: “Your password is about to expire” is an example phishing subject that could be altered in this way—email clients like Outlook may not display these soft hyphens at all.
Detection Challenge: Filtering is difficult because these UTF-8 codes are legitimate in some contexts and invisible or ignored in others.
Defender’s Dilemma: “I tried just to filter for a while all email that had any UTF8 encoded sub but well…” (Johannes B. Ullrich, 01:44). Pure UTF-8 filtering causes too many false positives.

Notable Quote:

“Here the attacker is inserting invisible characters. Now, strictly speaking, the characters...are not really invisible. One ... is the soft hyphen...But many email clients, like...Outlook, do not display them as part of the subject...So they basically just disappear.”
(Johannes B. Ullrich, 00:33–01:11)

2. Critical Apache Tomcat PUT Method Vulnerability

[02:30 – 04:05]

Key Points:

Vulnerability: Directory traversal in Apache Tomcat (all versions back to v9) via the PUT method, which may lead to remote code execution.
PUT Method Risk: By default, this method lets users upload files directly to the server. The vulnerability allows files to be uploaded to arbitrary directories (directory traversal), potentially placing web shells on the server.
Typical Exposure: Often enabled for REST APIs or web applications that support uploads.
Mitigation: Restrict the PUT method to specific directories or disable entirely if unnecessary.
Urgency: Exploits are likely imminent if not already public; patching is critical for servers with PUT enabled.

Notable Quote:

“...if you enable that put method, it’s really critical that you only constrain that upload to very specific directories...due to a directory traversal vulnerability, this put method can then be used to upload files into arbitrary directories.”
(Johannes B. Ullrich, 02:55–03:19)

3. BIND9 DNS Spoofing Vulnerability Proof-of-Concept

[04:05 – 06:10]

Key Points:

Development: Public proof-of-concept code now exists for a recently patched BIND9 vulnerability.
Misconception Corrected: Originally thought to be a weak random number generator issue, it’s actually the longstanding “additional data” DNS spoofing flaw.
Technical Details: Attackers can insert arbitrary, spoofed data as additional records in a DNS response—an old problem resurfacing.
Configuration Factor: The exploit is effective particularly when BIND is configured with “forward only” domains that trust responses from designated forwarders.
Common Use Case at Risk: Many DNS servers, for efficiency or firewall simplicity, forward everything to trusted resolvers (e.g. Cloudflare, ISPs)—but these forwarders might not sanitize responses, opening the door for spoofed data.
Mitigation: If you don’t use explicit forwarders, your exposure is reduced, but many orgs do due to common architectures.
Patch Necessary: Urgent patching advised, though the exploit affects only certain configurations.

Notable Quote:

“It may include additional data and has been one of those ancient DNS spoofing vulnerabilities where an attacker could just add arbitrary spoofed data as additional records. Well, that appears to be the problem here...”
(Johannes B. Ullrich, 04:38–04:55)

4. OpenVPN Arbitrary Code Execution Vulnerability

[06:10 – 07:10]

Key Points:

Vulnerability: Command injection bug in OpenVPN across Unix-like systems (macOS, Linux, etc.) can grant arbitrary code execution.
Exploit Mechanism: When connecting to a rogue OpenVPN server, it can push configuration parameters—specifically DNS-related—that, due to lack of sanitization, are passed unsafely to a client-side script.
Real-World Risk: Exploiting this requires connecting to a malicious (non-trusted) OpenVPN server; with trusted connections, risk is limited.
Mitigation: Update OpenVPN as soon as possible; patch is available and update process is straightforward.

Notable Quote:

“...you need to connect to a malicious OpenVPN server; connecting to a trusted VPN server...this is less of an issue, but still, update it.”
(Johannes B. Ullrich, 06:52–07:00)

5. Conclusion

[07:10–end]

Johannes wraps up by thanking the audience and reiterating the value of staying current and sharing information.

Timestamps of Key Segments

Phishing with invisible subject characters: 00:20–02:30
Apache Tomcat PUT method vulnerability: 02:30–04:05
BIND9 DNS spoofing PoC: 04:05–06:10
OpenVPN code execution vuln: 06:10–07:10

Overall Tone & Language

The episode maintains a brisk, authoritative, and practical tone—Johannes speaks directly to defenders, referencing real-world attacks and the importance of urgent patching. Key advice is pragmatic: patch, restrict permissions, examine configuration, and understand attacker innovation.

Notable Quotes (Recap)

“You cannot just look for hey, are they using some odd spaces or things like this. But you also have to look for characters that may be legit in some contexts, but are here just used to break up the text.”
(01:22)

“If you are running an out-of-date Tomcat server...you probably do want to update this quickly. I would expect an exploit to be released shortly if it hasn’t already been released.”
(03:36)

“If you don’t use a specific forwarder, then you may not have a problem here. On the other hand, many configurations use specific forwarders because that sort of is a very standard architecture for a DNS...”
(05:24–05:35)

This summary covers the full technical content and actionable insights of the episode, providing clear, attributed guidance for defenders and readers who may not have listened.

SANS Stormcast – October 29, 2025: Episode Summary

Episode Theme:
Johannes B. Ullrich delivers a concise update on newly discovered cybersecurity vulnerabilities and phishing techniques, focusing on:

A new invisible subject character phishing method
A critical Apache Tomcat vulnerability
A proof-of-concept for BIND9 DNS spoofing
An OpenVPN code execution vulnerability
Each issue is broken down with practical security insights and recommendations for defenders.

1. Invisible Subject Character Phishing

[00:20 – 02:30]

Key Points:

Technique Highlighted: Attackers use "invisible" UTF-8 characters, especially the soft hyphen, within email subject lines to bypass phishing filters.
Traditional Approach: Previously, attackers inserted such characters into email bodies to break up keywords and escape detection.
What’s New: This obfuscation is now applied in the subject line, shown by Jan's research and diary post at SANS.
Impact: “Your password is about to expire” is an example phishing subject that could be altered in this way—email clients like Outlook may not display these soft hyphens at all.
Detection Challenge: Filtering is difficult because these UTF-8 codes are legitimate in some contexts and invisible or ignored in others.
Defender’s Dilemma: “I tried just to filter for a while all email that had any UTF8 encoded sub but well…” (Johannes B. Ullrich, 01:44). Pure UTF-8 filtering causes too many false positives.

Notable Quote:

“Here the attacker is inserting invisible characters. Now, strictly speaking, the characters...are not really invisible. One ... is the soft hyphen...But many email clients, like...Outlook, do not display them as part of the subject...So they basically just disappear.”
(Johannes B. Ullrich, 00:33–01:11)

2. Critical Apache Tomcat PUT Method Vulnerability

[02:30 – 04:05]

Key Points:

Vulnerability: Directory traversal in Apache Tomcat (all versions back to v9) via the PUT method, which may lead to remote code execution.
PUT Method Risk: By default, this method lets users upload files directly to the server. The vulnerability allows files to be uploaded to arbitrary directories (directory traversal), potentially placing web shells on the server.
Typical Exposure: Often enabled for REST APIs or web applications that support uploads.
Mitigation: Restrict the PUT method to specific directories or disable entirely if unnecessary.
Urgency: Exploits are likely imminent if not already public; patching is critical for servers with PUT enabled.

Notable Quote:

“...if you enable that put method, it’s really critical that you only constrain that upload to very specific directories...due to a directory traversal vulnerability, this put method can then be used to upload files into arbitrary directories.”
(Johannes B. Ullrich, 02:55–03:19)

3. BIND9 DNS Spoofing Vulnerability Proof-of-Concept

[04:05 – 06:10]

Key Points:

Development: Public proof-of-concept code now exists for a recently patched BIND9 vulnerability.
Misconception Corrected: Originally thought to be a weak random number generator issue, it’s actually the longstanding “additional data” DNS spoofing flaw.
Technical Details: Attackers can insert arbitrary, spoofed data as additional records in a DNS response—an old problem resurfacing.
Configuration Factor: The exploit is effective particularly when BIND is configured with “forward only” domains that trust responses from designated forwarders.
Common Use Case at Risk: Many DNS servers, for efficiency or firewall simplicity, forward everything to trusted resolvers (e.g. Cloudflare, ISPs)—but these forwarders might not sanitize responses, opening the door for spoofed data.
Mitigation: If you don’t use explicit forwarders, your exposure is reduced, but many orgs do due to common architectures.
Patch Necessary: Urgent patching advised, though the exploit affects only certain configurations.

Notable Quote:

“It may include additional data and has been one of those ancient DNS spoofing vulnerabilities where an attacker could just add arbitrary spoofed data as additional records. Well, that appears to be the problem here...”
(Johannes B. Ullrich, 04:38–04:55)

4. OpenVPN Arbitrary Code Execution Vulnerability

[06:10 – 07:10]

Key Points:

Vulnerability: Command injection bug in OpenVPN across Unix-like systems (macOS, Linux, etc.) can grant arbitrary code execution.
Exploit Mechanism: When connecting to a rogue OpenVPN server, it can push configuration parameters—specifically DNS-related—that, due to lack of sanitization, are passed unsafely to a client-side script.
Real-World Risk: Exploiting this requires connecting to a malicious (non-trusted) OpenVPN server; with trusted connections, risk is limited.
Mitigation: Update OpenVPN as soon as possible; patch is available and update process is straightforward.

Notable Quote:

“...you need to connect to a malicious OpenVPN server; connecting to a trusted VPN server...this is less of an issue, but still, update it.”
(Johannes B. Ullrich, 06:52–07:00)

5. Conclusion

[07:10–end]

Johannes wraps up by thanking the audience and reiterating the value of staying current and sharing information.

Timestamps of Key Segments

Phishing with invisible subject characters: 00:20–02:30
Apache Tomcat PUT method vulnerability: 02:30–04:05
BIND9 DNS spoofing PoC: 04:05–06:10
OpenVPN code execution vuln: 06:10–07:10

Overall Tone & Language

Notable Quotes (Recap)

“You cannot just look for hey, are they using some odd spaces or things like this. But you also have to look for characters that may be legit in some contexts, but are here just used to break up the text.”
(01:22)

“If you are running an out-of-date Tomcat server...you probably do want to update this quickly. I would expect an exploit to be released shortly if it hasn’t already been released.”
(03:36)

“If you don’t use a specific forwarder, then you may not have a problem here. On the other hand, many configurations use specific forwarders because that sort of is a very standard architecture for a DNS...”
(05:24–05:35)

This summary covers the full technical content and actionable insights of the episode, providing clear, attributed guidance for defenders and readers who may not have listened.

wavePod

SANS Stormcast Wednesday, October 29th, 2025: Invisible Subject Character Phishing; Tomcat PUT Vuln; BIND9 Spoofing Vuln PoC

Powered by Wave AI

Summary

SANS Stormcast – October 29, 2025: Episode Summary

1. Invisible Subject Character Phishing

2. Critical Apache Tomcat PUT Method Vulnerability

3. BIND9 DNS Spoofing Vulnerability Proof-of-Concept

4. OpenVPN Arbitrary Code Execution Vulnerability

5. Conclusion

Timestamps of Key Segments

Overall Tone & Language

Notable Quotes (Recap)

Summary

SANS Stormcast – October 29, 2025: Episode Summary

1. Invisible Subject Character Phishing

2. Critical Apache Tomcat PUT Method Vulnerability

3. BIND9 DNS Spoofing Vulnerability Proof-of-Concept

4. OpenVPN Arbitrary Code Execution Vulnerability

5. Conclusion

Timestamps of Key Segments

Overall Tone & Language

Notable Quotes (Recap)