SANS Stormcast Friday April 24rd, 2026: Apple Update; Bitwarden Compromise; ASP.NET Core Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9906.mp3

previous

Apple Update; Bitwarden Compromise; ASP.NET Core Patch

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, April 24, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Amsterdam,
 Netherlands. And this episode is brought to you by the SANS
 .edu graduate certificate program in incident response.
 Today, I wrote a quick diary about a patch that Apple
 released yesterday. This patch fixes a single vulnerability
 in iOS and iPadOS. And while it's not unusual for Apple to
 release these sort of single vulnerability updates, these
 updates are usually reserved for currently exploited
 vulnerabilities. And Apple's description of the
 vulnerability does not actually note that it's
 already exploited. On the other hand, well, the nature
 of the vulnerability, it does describe it as a vulnerability
 in the notification center, where notifications that are
 marked for deletion are not actually deleted. And exactly
 this particular vulnerability was noted in a press
 description of a recent criminal case in which the FBI
 was able to recover at least partial signal messages by
 looking at these notifications that were not deleted. So in
 so far, it is certainly already an exploited
 vulnerability and also not terribly difficult to exploit
 vulnerability. It's a common problem with secure messengers
 that if they are using sort of these built-in operating
 system messaging components, that these components may,
 well, at least not encrypt the messages to the same standard
 as the originating application, but also that
 artifacts of sending messages or receiving messages may
 often be retained in these additional operating system
 components as they're usually not designed sort of for these
 threat models that these end -to-end encrypted messengers
 are often designed for. So this isn't fundamentally new.
 And in Signal, you had the option to disable
 notifications. But now Apple also fixed the bug slash
 vulnerability that notification artifacts were
 not necessarily deleted, even though the application marked
 them as to be deleted. And yesterday I talked about the
 compromise of the Checkmarx KICS tool. Well, today we got
 our second victim of the same campaign possibly as a follow
 -on to the Checkmarx compromise and that's
 Bitwarden. Bitwarden, the password manager was
 compromised. In particular, the password manager was
 compromised. In particular, the command line tools were
 compromised. This compromise happened by actually
 compromising GitHub worker. Now part of the Checkmarx
 compromise was to install malware that would recover and
 steal credentials like a GitHub API keys. So it's very
 possible and likely that the Bitwarden developer here was a
 affected by the Checkmarx compromise, even though I
 haven't seen that confirmed yet. What is however confirmed
 is that both compromises use identical infrastructure,
 identical malware that is being deployed. So if you are
 affected by either of these compromises, expect all of
 your GitHub keys and other credentials to be stolen. This
 particular malware does not necessarily go after any
 secrets stored in Bitwarden. But of course, that could
 change at any time and definitely something to be
 aware of if you are affected by a compromise of the
 Bitwarden command line tools. Other parts of Bitwarden don't
 appear to be affected like browser plugins and so on, but
 still probably be rather better safe than sorry. And
 double check when you last updated them, what some of the
 versions are and probably refrain from updating these
 components for the next couple days, at least until we really
 know all the details and the real impact and scope of this
 compromise. So far, I haven't seen anything official from
 Bitwarden yet, but again, it's a developing story. So may not
 have spotted the right blog post or where they sort of
 told their side of the story what exactly happened. So far,
 I base it mostly on what Socket.dev wrote in their blog
 post. Well, and they're also the ones that uncovered the
 Checkmarx exploit yesterday. Well, and then we got an
 emergency update from Microsoft for ASP.NET, the
 data protection library. If you download that from you
 get, you should upgrade. Now, this only really affects
 developers who are developing for .NET. They, of course,
 must release new applications. The problem with this library
 was that it didn't verify some of the cryptographic
 signatures correctly, which did allow an attacker to
 essentially spoof other users using a padding oracle
 exploit. They're comparing it to a vulnerability patched
 back in 2010, MS-10-70. That apparently fixed a similar
 vulnerability. So apply the update. It's available now.
 And yes, you must re-release your applications that used
 the vulnerable library. And also you must rotate
 credentials because, well, any keys and such that you used in
 your application may have been compromised. Well, this is it
 for today. So thanks for subscribing, liking, and just
 a quick note. Due to travel, I probably will not be releasing
 a podcast on Monday. Depends a little bit on how late I get
 in on Sunday, but most likely it will be too late in order
 to still record a podcast for Monday.
 If you've got questions then, if you've got Gemini, you
 could see it in the morning . I'll see you guys here, save
 the world . See that first? I 여러�', I'll see you next time.
 To along with SUji firmeSS