Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9900.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Handling the CVE Flood With EPSS
https://isc.sans.edu/diary/Handling%20the%20CVE%20Flood%20With%20EPSS/32914
Windows Server 2025 Out of Band Patch
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#4835
QEMU abused to evade detection and enable ransomware delivery
https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 20th - Jun 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 20th - Jun 25th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 26th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, April 21st, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Amsterdam, Netherlands. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Leadership. Well, I already mentioned that we do have this flood of new vulnerabilities that's currently sort of hitting the CVE database that has caused issues like, for example, NVD no longer being able to really provide enrichment for many of the new discovered vulnerabilities. So what are some of the alternatives? And we do have an option here by Xavier, the EPSS. EPSS stands for the Exploit Probability Scoring System. And what it attempts to accomplish is to essentially assign a probability to a vulnerability to figure out how likely it is to actually be exploited, which of course then assists you in properly prioritizing this vulnerability. What also makes this interesting is that this is a newer system was just introduced a few years ago and updated then again three years ago. Well, this system developed by FIRST is based on an automatic generation of these EPSS scores. So that makes it sort of more inherently scalable than some of the work that NIST has been doing. So pretty interesting number that you can add to your vulnerability management process. And to help you out with this, Xavier also demonstrated how to automatically use it to enrich your data. And as an example, Xavier implemented this enrichment in Vazoo. So take a look at the diary and see if this is something that may be useful for your vulnerability management program. And talking about all the things that can go wrong when you are rolling out patches. Well, Microsoft this weekend did release an out-of-band patch for Server 2025 to address issues that were introduced with the security updates released last Tuesday. Apparently some subset of Server 2025 installs did enter a reboot loop after this patch was installed and for others, well, a patch just didn't apply at all. So in this case, well, take a look at last weekend's update and you probably want to apply that if you're falling into either group. The uninstalled patch, of course, particularly tricky because that may easily go unnoticed. So any Windows 2025 user probably should take a look at this particular message from Microsoft to figure out you know what group you fall into or well, maybe you're one of the lucky ones where the patch just applied. Fine. And we've got an interesting blog post by Sophos pointing to some late developments with the Payout King ransomware. This is not new ransomware, but they sort of have some new tricks up their sleeve. And one interesting trick I find is the use of QEMU. QEMU is an open source virtualization and emulation package. So essentially it allows you to run a virtual machine by itself. It's not malicious software. It's actually quite often used for a lot of good purposes. And as such, of course, anti-malware will not necessarily flag it. But by running this virtualization environment, the attacker is then able to actually run a little virtual machine. They're using Alpine, the stripped down Linux distribution, on your system and hide additional malicious activity inside the virtual machine. Just from using virtual machines all day long in class, well that often then evades detection because anti -malware, well endpoint protection does not cover any processes typically happening in a virtual machine, whether it's QEMU, VMware or any other virtualization technology. Within this virtual machine, the attacker then establishes a reverse SH channel in order to then remotely connect to the virtual machine. And the virtual machine comes preloaded with various attack tools that then can be further used to compromise the system or the rest of your network. So pretty interesting technique. Definitely watch out for QEMU or any virtualization technology that may be deployed unapproved within your network. And well, flag it as possibly malicious. But again, this is something that's often used legitimately. So inventory and knowing where it's needed, where it's legitimately used is certainly an important task here. Well, that's it for today. So thanks again for listening. Thanks for liking and subscribing this podcast. And talk to you again tomorrow. Bye.
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 