Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Friday, July 10th, 2026: Belarus Graffiti Bot @sans_edu; Discontinuing Mac OS Ext. FS; Chrome Update; Rogue Planet Patch
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10002.mp3
Belarus Graffiti Bot @sans_edu; Discontinuing Mac OS Ext. FS; Chrome Update; Rogue Planet Patch
00:00
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_ [Guest Diary]
https://isc.sans.edu/diary/_HELP_ME_ESCAPE_FROM_BELARUS_PLEASE_%20%5BGuest%20Diary%5D/33130
Apple Discontinuing Support for Encrypted Mac OS Extended disks in macOS 28
https://support.apple.com/en-us/125615
Google Chrome Update
https://chromereleases.googleblog.com/2026/07/stable-channel-update-for-desktop_01162222768.html
Microsoft Patches Rogue Planet Vulnerability CVE-2026-50656
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2026-50656/
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Friday July 10th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recorded today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in industrial control systems security. As a reminder, of course, next week we'll start with SANSFire. If you see me around in DC during SANSFire, I usually have some Internet Storm Center stickers with me or such. So just look me up and I'll also do a keynote outlining some of the future things that we envision for Internet Storm Center. So that'll be Monday evening. Jason Callahan, one of our undergranted interns, did today contribute a kind of nice interesting diary about what I used to call graffiti bots. So these are bots, business systems that are scanning just the Internet that aren't really sort of attacking buttons that just leave a message behind the logs. And in this particular case, well, it's helped me escape from Belarus, news, please, is the message that's being spread here. It's inside the user agent. It's also as part of the URL that is being used. Now this particular bot looks for HTTP and for SSH. It does attempt a small list of username and passwords when it hits an open SSH or Telnet port. But beyond that really doesn't do much but spread itself. I've had a couple of these in the past that basically just for sort of leaving messages in the logs. Sometimes maybe a cross that scripting exploit has happened in the past. But for the most part, really just know either getting people to talk about a message, which I guess they accomplished here by me covering it. Sometimes also just the URL then hoping that administrators or so will click on it. We had even one bot I haven't seen in quite a while that basically had a message kind of associating it with our Internet Storm Center, kind of implicating us in being the origin of these scans, which of course not ever so often led to an angry email hitting our inbox. And then important update for macOS users. macOS 28 is going to seize support for encrypted macOS extended file system formatted disks. So it only affects the encrypted version of it. Now to put a little bit in perspective, so this is macOS 28, which will not be released this year. This is next year's release. So you have about a year and a half or so until macOS 28 is likely going to hit your systems. Until then, the macOS extended file system format will still be fully supported, including the encrypted version of it. Now beyond that, you may have problems also the current file system, the Apple file system. Well, it was introduced about 10 years ago. So we're talking essentially about systems that were essentially first, you know, created about 10 years ago. Of course, there was a transition period where people may have still used the macOS extended file system format instead of the sort of default Apple file system format. I think one thing to be like careful about this is if you have old backup disks around or maybe they kept some old laptop or such in a closet. I sometimes have done that, you know, just in case you need a file of it. Well, the laptop will, if it's still physically okay, still boot and the file system will all work. But you won't be able to mount these disks. If you just kept the disk, not the actual system, you won't be able to mount these disks to modern systems come macOS 28. So before that, you at least need to decrypt the systems, which you can do non-destructively or even better, you need to copy them over to a more modern file system like an Apple file system. But that of course requires copying the complete content. There's no sort of simple in-place conversion for that. And Google released an update for Google Chrome fixing 27 security vulnerabilities. Now, none of them is already being exploited, which is always a good thing. But what's sort of noteworthy here is the last few updates we had had like hundreds of vulnerabilities. And one of the reasoning that was stated for the large number of vulnerabilities was, well, the use of AI tools and finding these vulnerabilities. Seeing that this time around, we only got 27 vulnerabilities, maybe an indicator that we actually, well, are now tending like to a lower number. So maybe actually, you know, vulnerabilities are getting fixed and we'll end up with less vulnerabilities. I'll give it a couple months to really, you know, come to a conclusion here. But the first hopefully good indicator. And Microsoft released an update to its advisory for the Rogue Planet vulnerability. This was one of those Microsoft Defender privilege escalation vulnerabilities that the Nightmare Eclipse published. It was first noted by Microsoft on June 16th. So a little bit less than a month ago. Well, there is now a patch available for it. The patch comes in the form of an updated scanning engine for Microsoft Defender. So it should be applied automatically by Microsoft Defender. You can also if you want to double check, check the version number of the scanning engine. So it's not a rule update, it's a scanning engine update. But those updates are pretty much continuously. So within a day or so, you should probably have the new scanning engine loaded. Well, and that's it for today. So thanks for listening. Thanks for liking. Thanks for subscribing. Thanks for recommending this podcast and talk to you again on Monday. Bye.





