SANS Stormcast Monday, April 20th, 2026: Lumma Stealer and Sectop RAT; Windows 0-Day Exploited; NIST NVD Update; FortiSandbox PoC

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9898.mp3

previous

Lumma Stealer and Sectop RAT; Windows 0-Day Exploited; NIST NVD Update; FortiSandbox PoC

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, April 20th, 2026
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich, recording today from
 Amsterdam, Netherlands. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Fundamentals. In diaries today we got another
 reverse analysis and forensics walkthrough by Brad. Brad is
 talking about Luma Steeler and SecTop Rad. The way this
 particular infection starts is sadly the common trick of
 offering commercial software for free. So basically the
 cracked version of various Adobe products in this
 particular case. The user then downloads an actually
 suspiciously small zip file that then extracts into a
 rather large, like around 800 megabyte executable. The
 executable is so large because it's just padded with zeros
 and that of course is often used to prevent anti-malware
 products from scanning it. In this case it may also make the
 particular executable more plausible because the user may
 expect a certain size executable for these products.
 Now as the user then starts the executable that's where
 Luma Steeler is first installed and then later
 SecTop Rad. So first credentials are being stolen
 and then persistent access is being provided by the remote
 access tool. And then we have a series of postings by
 Huntress Labs to X that explain how they're seeing the three
 recent vulnerabilities in Windows Defender being
 exploited. All of these three vulnerabilities were
 discovered and proof of concept code was released by
 an individual that goes by the name of Nightmare Eclipse. The
 first vulnerability here is referred to as Undefend. This
 vulnerability just disables Windows Defender. The second
 one Bluehammer is a remote code execution vulnerability
 that was patched this month. And the third one Red Sun is
 the remote code execution vulnerability that has so far
 not been patched. So out of these three vulnerabilities
 only one is patched and one of the remaining unpatched
 vulnerabilities does allow remote code execution and with
 that essentially privilege escalation. Not too much you
 can do about this since there's no patch available.
 Just be aware and well hopefully if you are getting
 compromised this information may help you sort of figure
 out what exactly happened. Again these are the two
 unpatched ones one disables Windows Defender. The second
 one is a privilege escalation vulnerability. Well it was
 less than a week ago that we got an update for Forty
 Sandbox from FortiNet and this was an arbitrary code
 execution vulnerability and OS command injection
 vulnerability. We do have a proof of concept for this
 vulnerability now. So exploitation should be
 imminent if it's not already ongoing. It's a fairly
 straightforward and easy to execute exploit. So definitely
 something that if you're running across a Forty Sandbox
 system now that hasn't been patched yet will assume
 compromise at this point. Well I have been talking about this
 a couple times before and has been widely reported that NIST
 has had a real hard time keeping up with new
 vulnerabilities as they're being reported in order to add
 them not only to their NVD database but also to then add
 enrichments. Essentially additional data that allows
 you to better deal with these vulnerabilities. NIST to some
 extent has now thrown in the towel and states that they're
 no longer going to attempt to enrich every single
 vulnerability being reported. Instead they're going to
 prioritize certain types of software and well no surprise
 they're mostly dealing with the federal government. So any
 software that is being used by the federal government will be
 prioritized. Also software that's already in the known
 exploited vulnerabilities list will be prioritized. And then
 there is a crew of software that they're defining as well
 critical software and there is actually an executive order
 that defines this a little bit better. software it's
 essentially software that's security relevant software
 that runs with elevated privileges and then also
 software that deals with operational technology so OT
 essentially industrial control system software. This is no
 real big surprise and to some extent it may not really
 affect that much how you're using the NVD given that if
 software is used by the federal government well
 there's a good chance others will use it too. Or if there
 is widely distributed widely used software then yes the
 federal government usually uses it. So that should cover
 most of what I would consider important software that's
 worthwhile covering and spending the time on actually
 adding all the details. We'll see how this all goes and
 there have been a couple of other efforts like
 vulnerability databases such put out by the private sector
 that stated they'll step in there a little bit and provide
 their own enrichment. So see where it falls out and at this
 point at least we have a solid prioritization of what is
 being actually enriched and well essentially you know they
 can't do it for everything. It's probably only going to
 get worse with a rush of vulnerabilities being
 discovered with new AI tools. Well and this is it for today
 so thanks again for listening thanks for liking and thanks
 for subscribing to this podcast and talk to you again
 tomorrow. Bye.