Podcast Detail

SANS Stormcast Thursday, February 19th, 2026: Malware Image Resuse; Dell RecoveryPoint; Admin Center Vuln; DNS-PERSIST-01

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9816.mp3

previous
Podcast Logo
Malware Image Resuse; Dell RecoveryPoint; Admin Center Vuln; DNS-PERSIST-01
00:00

Tracking Malware Campaigns With Reused Material
https://isc.sans.edu/diary/Tracking%20Malware%20Campaigns%20With%20Reused%20Material/32726

From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day

Windows Admin Center Elevation of Privilege Vulnerability CVE-2026-26119
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26119

DNS-PERSIST-01: A New Model for DNS-based Challenge Validation
https://letsencrypt.org/2026/02/18/dns-persist-01.html

Defending Web Apps
https://www.sans.org/cyber-security-courses/application-security-securing-web-apps-api-microservices

Podcast Transcript

 Hello and welcome to the Thursday, February 19th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. Well, Xavier
 continues to be on a roll this week with yet another piece of
 malware to analyze. And in this case, it's actually a
 nice example on how to combine different pieces of malware
 with certain actors. A week or so ago, Xavier did already
 talk about a piece of malware that used an MSI wallpaper as
 part of its payload. Now, in that particular case, it was
 really just used sort of to basically have an image to
 attach a code to. So the image itself, that wallpaper could
 have been any other image. But what Xavier found is that
 there's other malware that uses exactly the same image,
 suggesting that it was created by the same actor. Also uses
 some other similar techniques and such as the malware that
 Xavier covered in the past. And overall, Xavier found a
 few hundred of pieces of submissions to VirusTotal that
 included this image, not all of them being labeled as
 malicious. And that's where it gets interesting whether or
 not you should add something benign like this image to some
 form of signature. Maybe it's interesting to sort of
 highlight certain samples and maybe look at them in more
 detail or include it as part of signature. Of course, not
 necessarily as the only signature to look for
 malicious activity. And yesterday, Dell released an
 update for Recovery Point for Virtual Machines. This update
 is fixing a fixed credential vulnerability. So nothing
 really all too special here, just your usual backdoor and
 enterprise software. But what makes it sort of even more
 interesting is that Google published a blog post stating
 that they have seen exploitation of this
 particular vulnerability for a few months now. So if you do
 have any exposed Dell Recovery Point for Virtual Machines
 systems out there, well, you definitely want to take a
 look. This system is Tomcat based, so attackers will
 typically then add web shells to it. Another interesting
 thing that Google has observed is that in order to evade
 detection, the attacker is setting up new network
 interfaces on the virtual machine and using that then to
 communicate and also do some lateral movement inside the
 network. Also some interesting IP tables rules that are being
 added to the system in order to sort of provide simple semi
 -authenticated access to the vulnerable system for an
 attacker even after the vulnerability should be
 patched. So definitely take a look at the system if you have
 them. Make sure they're not already compromised. So don't
 just blindly patch and move on. Another little bit odd
 security update from Microsoft. This one sort of
 came out of order. It's for Windows Admin Center and fixes
 an elevation of privilege vulnerability. Apparently not
 yet exploited, but Microsoft does suggest that exploitation
 of this vulnerability would be likely. Now elevation of
 privileges here doesn't mean necessarily that you get
 access to like system or administrator, but you get
 access to whatever user is executing the application. And
 I believe they're referring here to the Windows Admin
 Center application. So updated patch is available, but not
 100% sure why this was sort of released as a special patch.
 And let's encrypt is going to introduce a new method in
 order to update your certificates. This one is
 interesting. It's DNS space. Now you may be familiar with
 DNS01. That's the method that I personally prefer. You
 basically publish a specific DNS record and well then you
 use that to authenticate that you have control over the
 domain. This is only like short-lived. Each time you
 need a new certificate, you must again update that DNS
 record. And of course that leads often to complications,
 trying to keep your DNS zone updated and also distributing
 necessary API key material that you may need in order to
 keep everything up to date. The Certificate Authority
 Browser Forum and other standard bodies like IETF have
 now published a variation of this method, DNSpersist01.
 This method does allow you to publish a specific DNS record
 and it can then be used for long-term authentication in
 order to verify that you control the domain. It's
 linked to the particular account that you have set up
 with Let's Encrypt or whatever sort of authority you're
 using. This is not Let's Encrypt specific, but as far
 as I know, Let's Encrypt is the first one to actually use
 this method. So you don't have to constantly update your DNS
 zone. Now you may and as optional add some expiration
 date to the record. So that way it will only be valid for
 a certain limited time. You can also allow or not allow
 wildcard certificates to be issued based on that
 authentication. So that's supposed to make things a lot
 simpler. And remember, we are moving towards shorter and
 shorter certificate lifetimes. In particular, Let's Encrypt
 is pushing that fairly aggressively. So by reducing
 some of the friction and also fragility of the update
 process, things will probably become in the end more secure.
 Well, that's it for today. Thanks for liking. Thanks for
 recommending this podcast and sharing it on social media.
 And by the way, if you're interested still in the
 Orlando event where I'll be teaching our defending web
 application class, there is now a special where you
 actually get the free on demand version. So if you
 don't like me, you'll have then also Jason Lamb teach you
 the material as part of the online on demand version of
 the material that you'll get for free. So two instructor,
 one price. And that's it for today. Talk to you again
 tomorrow. Bye.