Podcast Detail

SANS Stormcast Tuesday, April 28th, 2026: More TeamPCP; Citrix XenServer Unpatched Vulns; Phantom RPC;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9908.mp3

previous
Podcast Logo
More TeamPCP; Citrix XenServer Unpatched Vulns; Phantom RPC;
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesOnline | British Summer TimeJul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and MicroservicesLas VegasSep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, April 28, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Industrial Control System Security. Ken today wrote a
 quick update on the latest developments in TeamPCP style
 attacks and of course one of the big developments last week
 was Checkmarx and a couple of the other companies affected
 by this Bitwarden. I mentioned both last week. Now for
 Checkmarx there is one kind of interesting new development
 that apparently the entire GitHub repository was leaked
 as part of the attack. They don't state how severe this
 is, if there are any secrets in this GitHub repository or
 not. But they do state that this all is really sort of
 just a follow-on left over from an attack that started
 March 23rd, so about a month ago. They wrote back then
 about this attack on March 23rd, but now they basically
 linked those two attacks and yes, that's sort of one of the
 big news items here. Just in general as far as I know
 current state of supply chain attacks go, we also have a new
 blog post by socket.dev and they're writing about 73
 different OpenVSX extensions that they found that basically
 linked to Classform which is well a typical credential
 exfiltration. So again you know more opportunities here
 for developers to lose their credentials and with that sort
 of new entry points being found by attackers for
 additional supply chain attacks once they hit a
 developer for a major package then of course they can start
 the cycle all over again.
 Well we have some bad news for users of Citrix Xen server or
 the XAPI which is the API that comes with Xen server.
 Researcher Jakob Wolfheckel did release a blog post
 outlining 89 different vulnerabilities that Jakob
 discovered in Citrix Xen server. There has been very
 limited notice provided to the XCP-NG project which is the
 open source implementation of this. There was no notice
 really provided about this so there are also no patches or
 anything available from Citrix themselves. In part this was
 due to some of the prior behavior of the Cloud Software
 Group which is the private equity fund that owns Citrix
 Xen server by not acknowledging researchers or
 really trying to downplay vulnerabilities. Remember for
 example the famous Citrix fleet which sort of keeps
 reoccurring in part because well essentially the same
 vulnerability exists in several spots of the code and
 well the Cloud Software Group hasn't really sort of gotten
 around or put the resources behind actually finding these
 vulnerabilities more proactively. Overall as a user
 of Citrix Xen server well hopefully there will be an
 update available soon but at this point really best thing
 you can do probably is limit access to the API and with
 that hopefully well reduce at least the likelihood of being
 compromised. On the other hand the blog post by Jakob also
 points out that you should assume compromise as these
 vulnerabilities have been around basically since the
 beginning of Citrix Xen server and well were really all that
 terribly difficult to find. There is no note here as far
 as I have been seeing it about any use of AI or so in finding
 these vulnerabilities. They seem to have been found well
 in such a good old-fashioned way. But well it's not just
 Citrix users that have to worry about unpatched
 vulnerabilities being disclosed. We also have a blog
 post by Kaspersky that discloses an architectural
 issue with Windows RPC. They're calling it Phantom
 RPC. So RPC services are dealing with a lot of these
 sort of system background kind of stuff in Windows and have
 the ability to act as another user. That's being abused here
 by providing a non-existing RPC service. So exactly what
 happens here is that a client may try to reach out to an RPC
 service that for every reason does not exist. The attacker
 is establishing a malicious version of that RPC service
 and then essentially tricking the client, connecting to it
 to execute code as another user. That's sort of the
 overall trick here. There is of course a lot more behind
 this if you're interested in the details. Take a look at
 the blog post. It's a privilege escalation
 vulnerability. So nothing sort of remote code execution or
 such that we had of course in RPC services before. But still
 an interesting vulnerability and we'll have to see how
 Microsoft will address this given that currently there's
 sort of no provision to actually better authenticate
 any of the RPC services. And they have been around forever.
 So there's also a huge backward compatibility problem
 here. Well and that's it for today. Also vulnerability I
 didn't get to cover in a pie hole. So definitely get that
 patched. And also privilege escalation vulnerability in
 Linux. But it doesn't sound as severe as Phantom RPC. So
 that's it for today. And talk to you again tomorrow. Bye.
 Bye. Bye. Bye. Bye. Bye. Bye.