Podcast Detail

SANS Stormcast Friday, July 10th, 2026: Belarus Graffiti Bot @sans_edu; Discontinuing Mac OS Ext. FS; Chrome Update; Rogue Planet Patch

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/10002.mp3

Podcast Logo
Belarus Graffiti Bot @sans_edu; Discontinuing Mac OS Ext. FS; Chrome Update; Rogue Planet Patch
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Friday July 10th, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recorded today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 graduate certificate program in industrial control systems
 security. As a reminder, of course, next week we'll start
 with SANSFire. If you see me around in DC during SANSFire,
 I usually have some Internet Storm Center stickers with me
 or such. So just look me up and I'll also do a keynote
 outlining some of the future things that we envision for
 Internet Storm Center. So that'll be Monday evening.
 Jason Callahan, one of our undergranted interns, did
 today contribute a kind of nice interesting diary about
 what I used to call graffiti bots. So these are bots,
 business systems that are scanning just the Internet
 that aren't really sort of attacking buttons that just
 leave a message behind the logs. And in this particular
 case, well, it's helped me escape from Belarus, news,
 please, is the message that's being spread here. It's inside
 the user agent. It's also as part of the URL that is being
 used. Now this particular bot looks for HTTP and for SSH. It
 does attempt a small list of username and passwords when it
 hits an open SSH or Telnet port. But beyond that really
 doesn't do much but spread itself. I've had a couple of
 these in the past that basically just for sort of
 leaving messages in the logs. Sometimes maybe a cross that
 scripting exploit has happened in the past. But for the most
 part, really just know either getting people to talk about a
 message, which I guess they accomplished here by me
 covering it. Sometimes also just the URL then hoping that
 administrators or so will click on it. We had even one
 bot I haven't seen in quite a while that basically had a
 message kind of associating it with our Internet Storm
 Center, kind of implicating us in being the origin of these
 scans, which of course not ever so often led to an angry
 email hitting our inbox. And then important update for
 macOS users. macOS 28 is going to seize support for encrypted
 macOS extended file system formatted disks. So it only
 affects the encrypted version of it. Now to put a little bit
 in perspective, so this is macOS 28, which will not be
 released this year. This is next year's release. So you
 have about a year and a half or so until macOS 28 is likely
 going to hit your systems. Until then, the macOS extended
 file system format will still be fully supported, including
 the encrypted version of it. Now beyond that, you may have
 problems also the current file system, the Apple file system.
 Well, it was introduced about 10 years ago. So we're talking
 essentially about systems that were essentially first, you
 know, created about 10 years ago. Of course, there was a
 transition period where people may have still used the macOS
 extended file system format instead of the sort of default
 Apple file system format. I think one thing to be like
 careful about this is if you have old backup disks around
 or maybe they kept some old laptop or such in a closet. I
 sometimes have done that, you know, just in case you need a
 file of it. Well, the laptop will, if it's still physically
 okay, still boot and the file system will all work. But you
 won't be able to mount these disks. If you just kept the
 disk, not the actual system, you won't be able to mount
 these disks to modern systems come macOS 28. So before that,
 you at least need to decrypt the systems, which you can do
 non-destructively or even better, you need to copy them
 over to a more modern file system like an Apple file
 system. But that of course requires copying the complete
 content. There's no sort of simple in-place conversion for
 that. And Google released an update for Google Chrome
 fixing 27 security vulnerabilities. Now, none of
 them is already being exploited, which is always a
 good thing. But what's sort of noteworthy here is the last
 few updates we had had like hundreds of vulnerabilities.
 And one of the reasoning that was stated for the large
 number of vulnerabilities was, well, the use of AI tools and
 finding these vulnerabilities. Seeing that this time around,
 we only got 27 vulnerabilities, maybe an
 indicator that we actually, well, are now tending like to
 a lower number. So maybe actually, you know,
 vulnerabilities are getting fixed and we'll end up with
 less vulnerabilities. I'll give it a couple months to
 really, you know, come to a conclusion here. But the first
 hopefully good indicator. And Microsoft released an update
 to its advisory for the Rogue Planet vulnerability. This was
 one of those Microsoft Defender privilege escalation
 vulnerabilities that the Nightmare Eclipse published.
 It was first noted by Microsoft on June 16th. So a
 little bit less than a month ago. Well, there is now a
 patch available for it. The patch comes in the form of an
 updated scanning engine for Microsoft Defender. So it
 should be applied automatically by Microsoft
 Defender. You can also if you want to double check, check
 the version number of the scanning engine. So it's not a
 rule update, it's a scanning engine update. But those
 updates are pretty much continuously. So within a day
 or so, you should probably have the new scanning engine
 loaded. Well, and that's it for today. So thanks for
 listening. Thanks for liking. Thanks for subscribing. Thanks
 for recommending this podcast and talk to you again on
 Monday. Bye.