Podcast Detail

SANS Stormcast Tuesday, May 19th, 2026: New libssh in Malware; Exchange 0-Day; MSFT Authenticator Update

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9936.mp3

previous
Podcast Logo
New libssh in Malware; Exchange 0-Day; MSFT Authenticator Update
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Tuesday, May 19th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Let's start out today with
 today's diary and that comes again from one of our SANS
 undergraduate interns, Gokul Prema Thangawell wrote this
 particular diary about the ever present SSH bots. Bots
 that are brute forcing usernames and passwords for
 SSH and then they often install modified authorized
 keys files which of course then act as a backdoor for the
 attacker. Now the one thing that Gokul here is looking at
 is a very well established chain of these SSH bots that
 always is leaving behind the same authorized keys files.
 It's sort of one of the indicators of compromise here.
 But Gokul notes some subtle modification to the binary
 being used to do the scanning in that it updated to a new
 lib SSH. Lib SSH is the base library that implements SSH
 and then we also have these hassh values. Now hassh is
 written here with two S's basically H A SSH which
 basically identifies the SSH connection details and with
 that often identifies the malware. But that now changed
 with the switch to the new lib SSH. And well, what this
 really means is don't be too specific on your indicators of
 compromise. If you're seeing a lot of outbound SSH
 connection, there is a good chance that you have a system
 in your network that is attempting to infect others
 via SSH no matter whether or not this particular hassh is
 present in the connections or whether it's not present and
 often goes undetected as pointed out in this diary. And
 late last week Microsoft disclosed a new unpatched
 vulnerability in Exchange Server affecting Exchange
 Server 2016-19 as well as the current subscription edition.
 Well, this is a cross-site scripting vulnerability but
 given that it's running in Exchange and then basically
 exposed via Outlook Web Access, there's quite a bit of
 damage that the hacker could do by exploiting this cross
 -site scripting vulnerability. Always an issue with cross
 -site scripting in webmail clients like Outlook Web
 Access. And as a result, well, definitely something that you
 want to address in particular since the reason that
 Microsoft sort of came forward and made this issue public is
 that it's already being exploited in the public. Now,
 Microsoft did publish a workaround and you can apply
 this workaround if your version of Exchange is
 reasonably up-to-date. So even for the older versions like
 2016, you can apply it. You just must have applied some of
 the more recent updates to Exchange Server 2016. And this
 will block exploitation. This is not a patch yet and it
 apparently does have a couple of issues. And again, refer to
 Microsoft's write-up on it because that's something they
 have been adding to over the last couple of days. In
 particular, apparently with the calendar functionality
 like running calendars and such may have some problems
 here after you apply the workaround. But take a look at
 it. To me, they sound less severe, these issues, than
 getting exploited with cross -site scripting exploit here.
 And Microsoft also late last week did release an update for
 Microsoft Authenticator for iOS as well as for Android.
 This particular update fixes a vulnerability where an
 attacker could gain access to the authentication token being
 submitted by Microsoft Authenticator. In order to
 exploit this vulnerability, an attacker would have to
 essentially trick you to a website, then interact with
 the website. You'll see a pop -up on your authenticator
 asking you essentially to approve the login. And the
 attacker would then get access to the token that would allow
 the attacker to essentially bypass Microsoft Authenticator
 -based two-factor authentication. Something
 interesting, vulnerability, like I said, not a lot of
 details out there yet. And nothing being exploited yet on
 Android and iOS. The application should
 automatically update. Well, to all the Linux users that are
 smirking here about the Microsoft and Windows flaws,
 there's also a new bridge escalation vulnerability for
 Linux to worry about. This one in particular allows also
 access to private shkeys on the server as well as to the
 etsy shadow file. Now, the server shkeys typically don't
 allow you to actually log into the server, but they allow you
 to impersonate the server. So, still something that you want
 to take care of and make sure that your Linux system is,
 again, properly patched. And, of course, rebooted as for
 most kernel patches like this. And that's it for today.
 Thanks for listening. Thanks for liking. Thanks for
 recommending this podcast. And talk to you again tomorrow.
 Bye.