Security Leftovers

posted by Roy Schestowitz on Aug 20, 2025

• SANS ☛ Increased Elasticsearch Recognizance Scans, (Tue, Aug 19th)

  I noticed an increase in scans that appear to try to identify Elasticsearch instances. Elasticsearch is not a new target. Its ability to easily store and manage JSON data, combined with a simple HTTP Hey Hi (AI) makes it a convenient tool to store data that is directly accessible from the browser via JavaScript. Elasticsearch has, in particular, been popular for consolidating log data, and the "ELK" (Elasticsearch, Logstash, Kibana) platform has been a very successful standard for open source log management.

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by AlmaLinux (golang, openjpeg2, toolbox, and xterm), Debian (libxslt, mbedtls, openjdk-17, and webkit2gtk), Fedora (apptainer, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, rust-h2, and uv), Oracle (golang, kernel, and openjpeg2), Red Hat (kernel and xterm), SUSE (389-ds, cairo, container-suseconnect, kernel, lua51-luajit, postgresql13, and trivy), and Ubuntu (linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-oracle,

  linux-oracle-6.14, linux-raspi, linux-realtime and openldap).

• Tomasz Torcz: Leaving BuyPass as an ACME provider

  For a long time I've been using BuyPass as TLS certificates provider for ACME. Unfortunately they decided to disengage from this area of services.

  There are quite a few ACME providers. Some even look like they could replace BuyPass, which had two strong traits: it is based in Europe and was providing certificates valid for half a year. It looked like Actalis would be a good replacement. They're from Italy and have 1 year certificates, but available in paid plans only.

• Trail of Bits ☛ Marshal madness: A brief history of Ruby deserialization exploits

  This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches.

• Windows TCO / Windows Bot Nets

  • Silicon Angle ☛ February ransomware attacks hit record high as ThreatDown reports 25% annual surge

    A new report out today from ThreatDown, the corporate business unit of Malwarebytes Inc., finds that ransomware attacks jumped 25% year-over-year between July 2024 and June 2025, making it the most active 12-month period on record.

  • Bruce Schneier ☛ Zero-Day Exploit in WinRAR File

    A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups:

    The vulnerability seemed to have super backdoored Windows powers. It abused alternate data streams, a backdoored Windows feature that allows different ways of representing the same file path. The exploit abused that feature to trigger a previously unknown path traversal flaw that caused WinRAR to plant malicious executables in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which backdoored Windows normally makes off-limits because of their ability to execute code.

    More details in the article...

• Education

  • APNIC ☛ Reflecting on 10 years in open source network security: Lessons from FastNetMon

    Ten years ago, I wrote the first lines of FastNetMon in my home lab, trying to detect volumetric Distributed Denial-of-Service DDoS attacks in a small data centre environment I was managing. What started as a proof-of-concept tool with hardcoded thresholds and no config file has since grown into a globally deployed open source DDoS detection system, shaped entirely by the needs and input of the network operator community.

    In this post, I want to reflect on two parallel journeys: How DDoS attacks have evolved over the last decade, and how the FastNetMon Community project has grown in response — from a homegrown script to a battle-tested detection platform trusted by ISPs, hosting providers, and enterprises.