Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
SANS Stormcast Monday, June 8th, 2026: Wetransfer Phish; Spying Smart TV; Dashlane Brute Force
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9962.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
The Evil MSI Background is Back!
https://isc.sans.edu/diary/The%20Evil%20MSI%20Background%20is%20Back!/33054
The Smart TV in Your LivingRoom Is a Node in the AIScraping Economy
https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/
UPDATE: For the story above, we received a notice from Bright Data's PR team. Please refer to the URL above for updates to the story published by the researcher after the podcast was published. In particular, Bright Data's PR team noted:
"
The original researchers who wrote the blog made significant changes and removed parts of their blog for inaccuracies and that conversation remains ongoing. You can find a record of this in the "Communication and Action Timeline" section of the blog which notes two edit dates of May 8 & 11 and cites the original form of contact was not sufficient, giving us an opportunity to prevent the spread of misinformation.
Edits include this information:
1. A revised Consent/Disclosure Paragraph (CTV Section) edited
2. Bandwidth Description edited
3. Peer Tunnel Security Comparison **REMOVED**
4. Enterprise Security Warning **REMOVED**
5. Testing Setup & Methodology (three claim dropped)
6. Expanded Timeline / Communication Section which details changes and original method was insufficient
"
Brute force attack on Dashlane user accounts
https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts#update-jun-4
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Monday June 8, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in cybersecurity engineering. Xavier this weekend wrote up another interesting piece of malware. This one originally starts out with a phishing email claiming to come from WeTransfer. Well actually the interesting part here is WeTransfer being the legitimate free file transfer service. The link in the email is actually a legitimate WeTransfer link only that it well goes to the next stage of the downloader which happens to be JavaScript and then this JavaScript is being used to execute powershell commands and that'll end you up with an image that looks just like an MSI wallpaper. So they're trying to hide in this generic relatively well-known brand. So that way someone may not notice the Base64 encoded script being appended to the end of the image. It's Base64 encoded, but slightly obfuscated, so it's not easily recognizable at least by automated scripts as Base64 encoded. So that's another layer of obfuscation here which then in the end gets you the ultimate malware downloader. Xavier promised a second diary with a more detailed analysis of just that downloader. But the lesson here well, you know these free services are heavily abused being abused like WeTransfer. They are also taking advantage of some of the cloudflare resources here like their .dev links in order to link to additional files. All of these are legitimate service services that you can't outright block because they're often used in applications and as such well best you can probably do is pay attention to them. Things like WeTransfer. I'm not sure how often this is used in a corporate environment but definitely something that you keep an eye on and maybe you can block it in if they're not legitimately used in your environment. These cloudflare .dev links are definitely used by developers so that's definitely something to be aware of and again don't just simply block them. [ A story by Include Security about Bright Data was removed by request from Bright Data's PR team. Please refer to the Include Security URL in the show notes for updates ] Dashlane published an update on its investigation into a recent brute force attack and what they stated that a relatively small number of walls like about 20 got actually leaked in this particular attack. Now these are encrypted password walls so the attacker still needs to then brute force whatever master key was used to protect the particular wall. The issue that Dashlane was running into is that in order to add a new device to sync with your Dashlane account someone needs to essentially respond to a six digit challenge. Well six digits it's basically a one in one million chance of getting it right so if you're trying often enough you'll get a couple of accounts and that apparently is exactly what happened here. Now they promised additional security measures here they don't really state exactly what they are but I could imagine some kind of global rate limits or such to essentially slow down brute forcing across multiple accounts coming from different IP addresses because that's sort of obviously a challenge when it comes to preventing these kind of brute force attacks. Maybe also limiting the number of attempts that they're allowing for a particular account within a particular time frame in order to further slow down the attack. As a user of these password managers the biggest problem here is that their economy really depends on cloud sync features and as long as they offer ways to synchronize devices via the cloud instead of some kind of private system. Well they will end up with having to defend authentication to these cloud APIs and that's not easy and that's just the latest example of a weakness in these defenses against these public APIs. Well and this is it for today so thanks for listening thanks for liking thanks for subscribing and yeah if you have any feedback please let me know and talk to you again tomorrow bye
The Internet Storm Center is a community for everyone, so join the conversation
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 