SANS Stormcast Wednesday, May 27th, 2026: Fake Claude Ads; SharePoint Vuln; Angular Vulnerabilities

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9946.mp3

previous

Fake Claude Ads; SharePoint Vuln; Angular Vulnerabilities

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, May 27, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 penetration testing and ethical hacking. Well, let's
 start today with a little bit of different spin on AI. In
 this case, it's actually, well, not really AI at all.
 It's just a fake Claude AI download page that is being
 used by attackers to install the ACR Stealer. ACR Stealer
 has been around for a while. It's sort of your standard
 info stealer stealing credentials and the like,
 often also considered sort of a malware as service where
 attackers will install it and then they provide also the
 malware and the credentials to the actual organization behind
 these attacks. Now, the organizations that are sort of
 renting or buying ACR Stealers, they have then to
 find a way for users to actually install it. And in
 this particular case, well, they went with Google Ads, the
 good old and proven method to trick users to install
 software. When you're searching for Claude, you may
 actually end up with a malicious code. In this case,
 with the info stealer, the download page, well, the
 domain looks nothing like cloud, like the one that Brad
 found here is fairpoint29.com. But there are likely many
 others similar ones out there as well. But the looking feel
 of the page, of course, does match the official Claude page.
 So unless someone looks at the URL, they may not necessarily
 notice that they are on a malicious page. And Microsoft
 actually surprised late last week with a surprise update
 for SharePoint. This SharePoint patch does patch a
 remote code execution vulnerability. It does affect
 all currently supported versions of SharePoint. And
 yes, it's another deserialization vulnerability.
 We had like the big one last year with the view state, not
 sure how this is exactly exploited, but Microsoft rates
 the exploitability as low complexity, so relatively
 easy. However, an attacker must have credentials to log
 in. So essentially what this means, any logged in user, any
 user with credentials is able to execute arbitrary code on
 the server. This is certainly not good in particular, since
 it only takes one user to lose their credentials. And you
 know, sometimes you also have sort of some read only users
 or such like external users that you provided with very
 limited access to your SharePoint site and don't
 necessarily completely trust them or trust them how they
 handle their credentials. Well, yet another sort of
 issue that Visual Studio Code users have to worry about this
 time, it's not malicious extensions, but
 vulnerabilities in existing extensions. There's also a
 little bit sort of a recurring issue when it comes to these
 extensions, that extensions are often able to execute code
 in some form. Well, if they're then being used to look at
 untrusted documents and such, that's sort of where the
 problem happens. In this particular example, the
 extension is the Angular Language Service Visual Studio
 Code extension. If you have this loaded and you're loading
 a project with a malicious settings file, or you're using
 it to look at a malicious JS doc file. Well, that's sort of
 where the remote code execution happens.
 Essentially, this extension is not properly escaping all of
 the special characters in files that it may load. And as
 a result, you have remote code execution. Like I said, this
 is not the first time we had sort of vulnerabilities like
 this in extensions. And it always sort of comes down to
 the same pattern that you have a vulnerable extension, then
 you're opening a project in Visual Studio Code that takes
 advantage of these vulnerabilities. One of the
 big things to be a little concerned about is if you're
 opening any projects in particular, sort of to just
 sort of blindly adopt whatever settings and such they're
 sending you. So you may want to review them or maybe just
 sort of start over from scratch and don't like import
 settings for Visual Studio Code that were configured by
 someone else that you may or may not trust. And then we
 also got patches for the DNS server bind. Now there are a
 number of vulnerabilities being addressed here. But one
 that I think is sort of interesting is heap use after
 free vulnerability. It can cause memory corruption. So
 there is a potential of remote code execution. But I don't
 think it's really likely that this is usually happening in
 situations like that. The root issue here is well, the
 support for DNS over HTTPS in more recent versions of bind,
 I think 9.18 was the first one where this was sort of
 officially introduced as a feature. And the 9.18 is
 actually not vulnerable. It's only 9.20 and 21. That's
 vulnerable here to this particular issue. And it does
 affect the HTTP 2 implementation here, which
 well, a lot of web servers such had also issues with HTTP
 2.0. It's not an easy protocol to implement correctly. And
 I'm not sure if bind uses a standard library or something
 they created themself for HTTP 2.0. Well, and this is it for
 today. So thanks for listening. And thanks for
 liking this podcast. Thanks for recommending it. And if
 you have any feedback, anything I should have
 covered, anything I should not have covered, well, please let
 me know. Thanks and talk to you again tomorrow. Bye. Bye.