Podcast Detail

SANS Stormcast Wednesday, July 1st, 2026: Apple Patches; SimpleHelp Exploit; Git DNS Tricks;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9990.mp3

Podcast Logo
Apple Patches; SimpleHelp Exploit; Git DNS Tricks;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Wednesday, July 1st, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Riyadh,
 Saudi Arabia. And this episode is brought to you by the SANS
 .edu Graduate Certificate Program in Industrial Control
 System Security. Well, Apple did release updates this week
 with that security patches for iOS, iPadOS, MacOS and Safari.
 So this lineup is a little bit different than what we usually
 see from Apple. Apple typically updates all of its
 operating systems. And also, well, we don't really have the
 same number of vulnerabilities being addressed as usual, but
 a smaller number, 28 vulnerabilities total. Most of
 these vulnerabilities are WebKit vulnerabilities, and
 that also explains the focus on iOS and MacOS. The other
 operating systems like watchOS and such, of course, are less
 exposed to WebKit. There are a couple of kernel
 vulnerabilities that are also being addressed here, and
 these vulnerabilities will potentially also affect the
 other operating systems like watchOS, OS, VisionOS and
 TVOS. So I expect that there will be an update for the
 other operating systems relatively shortly. Part of
 the reasoning behind this update was also that some of
 these vulnerabilities had already been addressed in beta
 versions of the next major release of iOS, iPadOS and
 MacOS. And MDR company Blackpoint did release a blog
 post outlining a recent intrusion that they have
 observed against SimpleHelp. SimpleHelp is one of those
 remote tech support platforms. So enterprises use it to
 basically be able to reach out and support systems across
 their network. And it suffered, well, not even two
 weeks ago from an OpenID Connect bypass. So that
 essentially allowed an off vacation bypass and an
 attacker is able to authenticate as a technician.
 And with that able to then reach out to remote systems
 that are connected to this particular SimpleHelp
 instance. What Blackpoint observed is that the attacker
 did deploy fairly obfuscated JavaScript file, they call it
 jQuery.js, but it's not related to the well known
 jQuery framework. And this JavaScript file is then
 executed via node.js and used to deploy additional malware.
 In particular, they observed credential stealers. So in
 this case, the attacker went after the usual sort of as age
 and cloud credentials and such likely to further compromise
 affected networks. Haven't seen the ransom word word here
 in this particular write up, but wouldn't be surprised if
 this particular vulnerability, which isn't all that terrible
 hard to exploit, would soon be used also to deploy
 ransomware. That just sort of fits what this type of
 vulnerability is often used for. At Mozilla's Odin Lab
 published a blog post outlining an interesting
 attack against, well, yet again, cloning a repository
 from Git. Doesn't have to be GitHub, really sort of any
 kind of repository here would work. And the trick they're
 playing here is that if you're using an AI agent in order to
 help you with the cloning and then ask it to execute the
 actual code that was downloaded. Well, there will
 be an error message that you first need to initialize to
 init the software that you just downloaded. And that,
 well, in itself isn't really all that suspicious. But what
 that triggers is a DNS lookup that will then download
 additional code in the form of a text record and execute it.
 So the trick here is that the repository as downloaded is
 clean. It does not contain any malware and the malware is
 really just loaded as the repository is initialized
 using the DNS lookup. Pretty neat. Just talked in class
 today about all the ways how you can use DNS as a covert
 channel. Yet another sort of little trick that you can play
 here with DNS. Well, and that's it for today. Thanks
 for listening. Thanks for liking. Thanks for
 recommending this podcast and talk to you again tomorrow.
 Bye.