Podcast Detail

SANS Stormcast Monday, May 4th, 2026: Malicious Homebrew Ads; Wireshark Update; Digicert False Positive; cPanel Exploited

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9916.mp3

previous
Podcast Logo
Malicious Homebrew Ads; Wireshark Update; Digicert False Positive; cPanel Exploited
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Monday, May 4th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Industrial Control Systems
 Security. And in diaries today, we got one of the
 excellent malware analysis diaries from Brad. Brad walks
 us here through an infection with MacSync Steeler. Now,
 what makes this particular attack so successful likely is
 that, well, it takes full advantage of the entire Google
 ecosystem. It starts out with a paid ad on Google. If you're
 searching for Homebrew, you may be seeing links for this
 particular malicious version of Homebrew, which is then
 also hosted within Google's pages infrastructure. So the
 only URL you're seeing here is business.google.com, which of
 course is often not considered malicious. Now, if the user
 then clicks on this link, they're then being sent to a
 fake Homebrew page. Now, if you're not familiar with
 Homebrew, Homebrew is essentially a system that
 allows you to easily install various open source tools. So
 it's very commonly used by Mac users. And the page here looks
 very much like the real thing, only that this one, of course,
 is hosted within sites.google .com. Now, just like in the
 real Homebrew, you're then being asked to sort of copy
 paste shell script in order to execute the installer. Now,
 the real version is not obfuscated like the one here.
 Here, you're then basically pasting a base64 encoded
 string that then leads to execution and will then
 download additional tools, including the malware in the
 end. Now, there are a number of different warnings that you
 are probably getting. So definitely something that's
 not low friction, really. But then again, it's still fairly
 easy for a victim to overlook this and go through with the
 install of this MacSync Steeler. As often, Brad has
 released all the packet captures and, of course, links
 to various tools and such that are being downloaded here on
 VirusTotal. The initial script is not well detected. It may
 get detected by this sort of new click fix fixed that Apple
 has implemented. But of course, that depends on how
 you're using your system. If you're routinely copy pasting
 into the terminal, then this may not trigger here. Since
 these tools are particular for users that often use the
 terminal and such, it is probably not going to get
 detected here on many systems. And then, of course, many of
 the malware pieces that are being downloaded here are
 hosted on, well, legitimate websites that are just
 compromised. Well, then we have a new version of
 Wireshark 4.6.5. I usually don't sort of highlight new
 releases of Wireshark. They often do fix vulnerabilities.
 What's different about this release? Well, actually, two
 things are sort of different here. Number one, that this
 particular version does include fixes for
 vulnerabilities discovered recently by AI tools the
 developers used. So we have a total of 43 different
 vulnerabilities being addressed here. Some of these
 vulnerabilities may be exploitable for code
 execution. So definitely something that you want to
 take care of. Now, I usually don't like it when products
 release sort of a big security update like this. And then
 they also make some changes sort of to the UI. In this
 particular case, I sort of actually understand it. They
 changed the startup page a little bit and added sort of a
 more prominent ad for Shark Fest, which is sort of a
 conference that the Wireshark people are running, and also a
 donation button. And I have to admit, I've been using
 Wireshark probably just sort of since it came out, like in
 the late 90s, definitely when it was still called Etherreal
 back in the day, and wasn't even aware that they were
 looking for donations. And it's such a useful tool. So if
 you're using it regularly, well, give them a little bit
 money to support the development. And this weekend,
 there were multiple reports that Microsoft Defender for
 Endpoint did mark certain sort of authority certificates from
 DigiCert as malicious and removed them in some cases
 from systems. So these were pre-installed sort of
 authority certificates. And this was quickly dismissed
 sort of as false positive, which it was, but there is a
 little bit more to the story that I just want to point out.
 So in this particular case, DigiCert did file a bug report
 with the sort of authority program. Now, a bug report
 here is really just meant sort of to communicate any issues
 with the sort of authority program. It's not necessarily
 sort of a classic bug. In this case, it was actually a
 compromise of DigiCert. Some systems within DigiCert got
 compromised by malware, and the 60 different certificates
 were issued by the malicious actor and subsequently then
 revoked. All of these certificates were signed by
 these sort of authority certificates that are now
 being here marked as malicious. It's likely more
 sort of a mistake on Microsoft's and that they
 marked these sort of authority certificates as malicious, not
 the individual certificates. Again, the revocation, if it
 worked, should have taken care of these 60 certificates by
 now, hopefully anyway, even though the latest update here
 was just a couple days ago. Actually, a pretty good bug
 report because an interesting compromise here in that some
 of the endpoint defenses that DigiCert here had in place had
 failed. And for anybody running cPanel to manage their
 servers, be aware there is an already widely exploited
 vulnerability going around here, compromising cPanel.
 Patches have been released, so please now refer to the cPanel
 .net page for any details regarding the patch. cPanel,
 as far as I know, has an auto update feature that should
 protect you here, but please double check since, yes, the
 exploit is widely available. So definitely it's one of
 those cases where you want to assume compromise if you have
 cPanel exposed. cPanel is particular sort of problematic
 because it's often used by virtual hosting companies and
 such to provide customers access to servers. So a
 particular cPanel instance may have a large number of
 different websites behind and they are now all exposed due
 to this vulnerability. Well, and this is it for today. So
 thanks for listening. Thanks for liking. Thanks for
 subscribing. And as always, talk to you again tomorrow.
 Bye.