SANS Stormcast Monday, November 3rd, 2025: Port 8530/8531 Scans; BADCANDY Webshells; Open VSX Security Improvements

The podcast, recorded on November 3rd, 2025, by Johannes Ullrich from Jacksonville, Florida, discusses recent cybersecurity incidents. It highlights an increase in scans for Windows Server Update Service (WSUS) ports (8530 and 8531) following a public disclosure of an exploited vulnerability, with researchers like Shadow Server actively notifying affected entities. The episode also covers an advisory from the Australian Signals Directorate regarding the BADCANDY implant targeting unpatched Cisco IOS XE devices vulnerable to CVE-2023-2198, a two-year-old vulnerability previously exploited by groups like Vault Typhoon. Finally, it addresses malicious extensions found in the OpenVSX store for Visual Studio Code-derived editors, which used Unicode characters to hide malicious code. OpenVSX's response includes reducing token lifetimes, improving token revocation, and enhancing security scanning at publication to prevent future incidents.