Podcast Detail

SANS Stormcast Monday, February 2nd, 2026: Google Presentation Abuse; Ivanti Vuln Exploited; Microsoft NTLM Strategy

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9790.mp3

previous
Podcast Logo
Google Presentation Abuse; Ivanti Vuln Exploited; Microsoft NTLM Strategy
00:00

Podcast Transcript

 Hello and welcome to the Monday, February 2nd, 2026
 edition of the SANS and that Storm Centers Stormcast. My
 name is Johannes Ullrich, recording day from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu under graduate certificate program in Applied
 Cybersecurity. Last week I started adding some CAPTCHAs
 to the Internet Storm Center website. I had to do it. I
 didn't really want to do with CAPTCHAs and such, but we did
 get a ton of requests. Let's just screen scrape some pages
 that are available via APIs and some of our public data
 feeds. So please use those if you need the data or let me
 know if you run into any problems with the CAPTCHAs. It
 did cut down the load on these particular pages by over 90%.
 So more than nine out of ten requests to those pages were
 created by bots. In Diaries today we had, well, one from
 Friday and that's about a little phishing trick that at
 least was new to me. So whenever any company is
 setting up a simple way to host free web pages, it's
 often being abused for phishing. Google Documents,
 not really an exception here. Google Docs, I think, is the
 official name. But what Google actually did to prevent some
 of this is to add a very obvious note to the bottom of
 each page that this is hosted by Google Docs and also links
 to report phishing pages. Well, one of our readers,
 Charlie, he observed a phishing email that redirected
 to a Google Docs page that did not have this notice. And
 there was a fairly simple trick that was played here. At
 first I thought maybe they played some HTML trick or such
 to hide it, some style sheet or whatever. Well, what they
 did in this case was they used Google Slides presentation.
 And these presentations, yes, also have sort of a very
 distinct footer by default, but you can publish these
 presentations. Once you publish the presentation,
 well, then they sort of work like a presentation that you
 would present to an audience. So this footer disappears and
 that's exactly what they used here. They used a link to a
 published presentation. Links still work in those
 presentations. So you can still click on the link. This
 one targeted users of Vivaldi webmail. Not really clear like
 the user sent it to us. I believe they are a user of
 Vivaldi webmail. I'm not sure if this was targeted to
 Vivaldi webmail users. There was a comment asking about
 that. And I think what may have happened, what often
 happens with phishing emails like this is that they were
 sent to a lot of people, not just Vivaldi webmail users,
 but those who don't use Vivaldi webmail. Well, they
 just discard email because they knew it's obviously bad.
 While Charlie here is a user of Vivaldi webmail, well, pay
 a little bit more attention and to a closer look at that
 particular email. So there's always that kind of
 confirmation bias here that plays a role when you're
 looking at phishing. And I guess it's time for another
 Ivanti vulnerability patch and exploit again. So we do have
 an already exploited vulnerability in Ivanti's
 endpoint manager mobile. This affects version 12.5, 12.6, 12
 .7, 0 as well as 1 for this particular product. The patch
 that's being released here is what they call an RPM patch.
 Basically, well, you know, the RPM package manager, just a
 file for that. Now, it's not a new version that you're
 getting here. You're just getting the patch. If you're
 now upgrading to a different version, well, you have to
 reapply the patch. They're calling this sort of a
 temporary patch, really. Now, when they're releasing a new
 version next time and they don't really state when that
 will happen, then the patch should be included in that new
 version. So it shouldn't really become an issue. It's
 really only if you would basically essentially
 downgrade or maybe upgrade to another vulnerable version.
 Like if you are currently on 12.6 and you're upgrading to a
 vulnerable 12.7 version, that could lead to this downgrade.
 So definitely pay attention then to the final patch being
 released in a new version. Another sort of advantage of
 this patch is also that it doesn't require any downtime.
 Now, if you do are sort of in a failover high availability
 configuration, you have to apply the patch to all cores.
 The cores, the patch does not automatically replicate to the
 other instances. And Microsoft has published an updated
 timeline on the removal and actually disabling of NTLM
 from future versions of Windows. Now, you may say,
 well, haven't they already had a timeline so far? They were
 so far talking about deprecating NTLM, which means
 it's no longer sort of used by default, doesn't receive any
 updates. And it's basically no longer of a maintained
 feature. It's just being kept around for people who still
 need it. What they started doing now already is add more
 logging, so basically enhanced auditing for NTLM. So it's
 easier to identify systems that still use it. And in the
 second half of 2026, they'll move to actually then
 preferring Kerberos. So always try Kerberos first before they
 would try NTLM. And then in the next version of Windows
 Server, they'll actually move to disable NTLM. So you
 probably have about a year or so to really deal with that
 issue and try to get rid of as much NTLM in your network as
 possible. NTLM will not be removed as far as I
 understand. You'll still be able to enable it, but it will
 require additional sort of administrative overhead to
 actually get NTLM to work in later versions or newer
 versions of Windows. Well, that's it for today. Two
 stories that didn't make sort of a cut are vulnerability in
 Johnson Control's MediSys. That's one of their sort of
 commercial automation systems. And then also lots of news
 with vulnerabilities and such about Moldbot. Yet another one
 of those AI tools. Well, almost feels like that sort of
 part of their PR campaign. But either way, if you're working
 with any of these systems, take a look. That's it for
 today. If I should have covered another news item, so
 please let me know and talk to you again tomorrow. Bye.
 Bye. Bye. Bye. Bye. Bye. Thank you.