Podcast Detail

SANS Stormcast Thursday, May 28th, 2026: Akira Ransomware; Vaultjacking; Poisoned Chatbot and Search Results;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9948.mp3

previous
Podcast Logo
Akira Ransomware; Vaultjacking; Poisoned Chatbot and Search Results;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs
https://isc.sans.edu/diary/Reconstructing%20an%20Akira%20Ransomware%20Kill%20Chain%20from%20Perimeter%20and%20Endpoint%20Logs/33024

Vaultjacking: One Captured PIN, the Entire Google Password Manager Vault
https://phishu.net/blogs/blog-vaultjacking-phishing-the-google-password-manager-vault-in-the-phishu-framework.html

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/

Podcast Transcript

 Hello and welcome to the Thursday, May 28, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ulrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 Undergraduate Certificate Program in Cybersecurity
 Fundamentals. Well, I assume nobody here likes ransomware,
 but one thing I do like is a great write-up explaining how
 to early detect ransomware. Manuel wrote up an Akira
 ransomware killchain, which essentially walks you through
 the about one week of activity that was conducted by this
 particular threat actor against a network from which
 Manuel was able to obtain logs. Now, what was
 interesting is that really there were some early signs
 that something wasn't right. And that was a large number of
 failed authentication events against the SSL VPN. As so
 often, well, the security device here, the SSL VPN did
 sort of cause or provide the initial access. Now, here in
 this case, it was basically just the credential brute
 forcing. The attacker eventually got lucky and was
 able to log in. So there was no specific exploit used here.
 Next, we then had the internal discovery where the attacker
 was essentially probing the network. So of trying to
 connect to window shares and doing the usual whoami and
 such. So all actually things that are relatively easy to
 detect if you are properly instrumented. And then of
 course, lateral movement via RDP. Also very typical
 very typical ransomware strategy. Well, in summary, it
 took them about a week to actually start the encryption.
 So there were actually quite a few sort of early indicators
 that may have helped to then prevent the actual encryption
 and exfiltration potentially here of the data. Manuel walks
 you through all the different indicators, all the log ids and
 such to look for in order to identify
 this activity hopefully before it gets encrypted
 by a similar attack.
 or citricule Launch. So this is a question of what you've
 discussed with. So your asana ,cturrent network
 방 da is 1.570,
 whether you're recently an example, our commit to the
 primate learning network is including neural duringess and
 authentication is, well, pass keys that have become more and
 more popular in recent years. Now the problem of course is
 still that the pass keys have to be stored somewhere and one
 of the usability features added to pass keys is the
 ability to synchronize them across different devices. So
 even if your pass keys are phishing resistant, well if
 the storage medium that you're using basically
 synchronization mechanism is not phishing resistant, well
 then that doesn't really matter how secure your pass
 keys are. And this is something that PhishU is
 exploiting and PhishU is a company that sort of does
 security awareness training and also these phishing as
 service testing engagements. Well and they documented now
 an interesting use of phishing in order to gain credentials
 for Google's password and pass key syncing mechanisms. It's
 all leveraged around the pin that's being used to
 authenticate a particular device and essentially the
 user is tricked into entering that pin into the PhishU
 dialogue. So it comes back down to phishing. If you're
 falling for phishing then you're possibly also going to
 enter your sync pin to unlock essentially a device to the
 adversary and the adversary is unable to add additional pass
 keys to your account which of course provides them with
 persistent access to your account and then also add
 their own device as a sync target for all of your
 password and pass key data. Interesting attack and again a
 phishing resistance is important and of course
 specifically important for things like password managers.
 Numerous times in the past I've talked about how Google
 Ads or in general Google search results are used to
 push malicious results and trick users into downloading
 malicious software. Well it turns out that chatbots and
 LLMs are not really exempt from this particular threats
 that the attackers are somewhat taking advantage of
 this now and are poisoning essentially the results here.
 So a user who may ask a chatbot a question like
 nowhere to download a particular piece of software
 such may then be fed malicious result and Microsoft
 documented a case of just that happening. Now once in this
 particular case the user installed the malware it
 actually turned out to be still a useful utility so it's
 not that the malware was obviously malicious but it
 still did what it was supposed to do it just side loaded a
 malicious DLL that was then used to well install a screen
 connect client on the user's system and essentially provide
 the attacker with access to the victim's system. Well and
 that's it for today thanks for listening thanks for liking
 and recommending this podcast thanks for subscribing and if
 you have any feedback please let me know thanks and talk to
 you again tomorrow bye
 on ��요 Thank you.