SANS Stormcast Friday, May 22nd, 2026: Selective HTTP Proxying; More GitHub Repo Trouble; MSFT Defender Patches;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9942.mp3

previous

Selective HTTP Proxying; More GitHub Repo Trouble; MSFT Defender Patches;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Friday, May 22, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. This episode is brought to you by the SANS.edu
 Graduate Certificate Program in Cyber Security Engineering.
 Last week, Rob wrote a diary about a tool called Proxifier.
 Proxifier is neat because it allows you to intercept
 traffic with a proxy from specific applications. Of
 course, that's great for reverse analysis and such.
 Yes, you could just proxy all traffic, but then of course
 you have to deal with all the noise that you're getting in
 addition to the traffic from the application you're
 interested in. The trick here is that Proxifier only works
 on Macs and on Windows. Yes, there is sort of an Android
 version, but those sort of generic Linux versions. I
 looked into, well, how do you do it in Linux? And as far as
 I know, there are really sort of three different ways of
 doing it. Number one, you can set specific environment
 variable, http_proxy and https_proxy.
 Many sort of HTTP libraries are looking for
 these environment variables and will use any proxy. So
 before starting the application, you just set
 these environment variables. You can do it a little bit
 with iptables, but with iptables, you're kind of only
 able to redirect traffic from a particular user. So you have
 to make sure that this application, well, it's the
 only application being run by a particular user. And then I
 think sort of the neatest and often overlooked feature in
 Linux is network namespaces, where you can define
 essentially sort of a custom network configuration for a
 particular application. And you essentially do this by
 defining which network interfaces, and then also like
 custom routing tables and so are being used in this
 namespace. And then you assign that namespace to the
 application, or the application to the namespace.
 And then the application basically sees a different
 network environment than the rest of the system. And that
 again, allows you to selectively intercept traffic
 that emerges from this namespace, or basically in
 this case, from this application. So yes, you can
 do it in Linux. Not sure if the Android version of
 Proxifier can somehow be used in Linux, but that may be
 probably the easiest solution if that is possible. Well, in
 case you thought that, well, you know, today, he's not
 going to talk about any supply chain issues again, sorry,
 still have to do it. We have another big attack against
 GitHub repositories, this time not against the GitHub itself,
 but against users of GitHub. Apparently, this attack is
 using harvested credentials from prior attacks in order to
 infiltrate specific repositories. Something like
 5000 different repositories have so far been affected.
 Safedep.io has published a good blog post. And I think
 there's of the ones here that originally came across this
 attack in order to actually exfiltrate credentials. Well,
 it basically adds GitHub actions. And these GitHub
 actions, they have a couple different ways sort of to
 trigger them, some on each push and pull. So basically,
 these are fairly noisy GitHub actions. But they also have
 some more stealthy ones that can be triggered externally.
 And once well, you're affected by these, you will basically
 lose all of your environment variables, your AWS
 credentials, your Google credentials, your SSH private
 keys, keys, any kind of API keys, database connection
 strings, JWTs, PEM private keys, cloud tokens, well,
 pretty much everything sort of secret on your system. The
 data is then being exfiltrated to an IP address 216.126.225
 .129. And well, the author actually is pretty good in
 sort of disguising themselves by using names like auto-ci or
 ci-bot or pipeline bot, essentially, you know, names
 that kind of fit in with a CI city pipeline. And Microsoft
 released an update for its Windows and Havares platform
 fixing the recent privilege escalation vulnerabilities
 that have already been exploited. Red Sun and
 Undefend are the names for these users. There is nothing
 really that you have to do as a user. This is an update to
 the antivirus platform. And it's regularly updated, just
 like the rules being used by Windows Defender. So it should
 automatically be already installed on your system. This
 is not one of those patch Tuesday updates. And Cisco
 released some updates today. One interesting one affects
 the Cisco Secure Workload. Well, this is a system that
 essentially allows you to essentially sort of sandbox
 critical and possibly dangerous or vulnerable
 payloads. What better way to do it than use a vulnerable
 system like Secure Workload in order to accomplish this.
 Apparently, Secure Workload has an authentication bypassed
 vulnerability in the REST API, allowing an unauthorized user
 to get site admin access. This is a complete 10 on the CVSS
 scale. So definitely something that you probably want to
 address in particular, if that REST API that controls Cisco
 Secure Workload is somewhat exposed. Well, and this is it
 for today. So thanks for listening. Thanks for liking.
 Thanks for subscribing also to this podcast. And if you have
 any questions, please email me or if you have any feedback,
 please let me know. The next podcast will be on Tuesday
 because Monday is Memorial Day holiday here in the US. So
 we'll skip Monday. So talk to you again on Tuesday. Bye.
 Bye.