Podcast Detail

SANS Stormcast Friday, June 12th, 2026: Bitlocker Trouble; Ivanti and Oracle Exploited; macOS Malicious Installers

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9970.mp3

previous
Podcast Logo
Bitlocker Trouble; Ivanti and Oracle Exploited; macOS Malicious Installers
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Friday, June 12, 2026 edition
 of the SANS Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recording today from Jacksonville,
 Florida. And this episode is brought to you by the SANS.edu
 graduate certificate program in Cyber Security Engineering.
 Well, nightmare eclipse is at it again. It's not just
 0-Day Wednesday, but now also 0-Day Thursday with
 another attack against BitLocker. And this one
 actually involves Windows Defender, which is another
 favorite target of Nightmare Eclipse. So the problem here
 is that if a victim is starting an unintended virus
 scan using a Windows Defender, and then the attacker is able
 to trigger a reboot on the system and then go into the
 Windows recovery environment, the virus scan will start. And
 that's, well, by design, it's really more a feature than a
 bug, really. And in that case, then, well, the BitLocker
 partition will be unlocked because after all, the virus
 scan needs access to it. Well, the trick is that this can
 basically trigger just by copying a specific XML file to
 the root partition. It will then be picked up by the
 Windows Defender process in the recovery state in order to
 then unlock the BitLocker partition. Interesting
 vulnerability. And I'm not sure how much this is intended
 functionality or actually a bug. We'll have to see how it
 all falls out and what Microsoft's comment will be on
 this. But yes, yet another reason not to leave your
 laptops and such unattended and to rely not just on the
 same bitlocker to protect your systems. Well, and on Tuesday,
 Ivanti published an advisory with patches for two
 vulnerabilities in Ivanti Sentry. One of the
 vulnerabilities is an OS command injection
 vulnerability, does not require any authentication and
 does allow access as root to a vulnerable system. So a CVSS
 score of 10. The second an authentication bypass
 vulnerability, well, only comes with a CVSS score of 9
 .9. But what's really important is that the OS
 command injection vulnerability is now already
 being exploited. So definitely get those systems patched. The
 Sysa announcement about the exploit being cited in the
 wild also has an interesting side note that you can prevent
 exploitation by configuring mutual TLS. Now, no idea how
 difficult this is in Ivanti. I've never really used the
 product, but certainly something that you probably
 should consider since that this is sort of a common
 attack surface here and who knows how many vulnerabilities
 are left to be patched. Well, try to mitigate some of this
 by implementing mutual TLS to the clients controlled by your
 Ivanti MDM. Well, it wasn't very long ago that Oracle
 started to patch selected high severity vulnerabilities on a
 monthly scale instead of its usual quarterly schedule.
 Well, it turns out that these days even monthly isn't fast
 enough and Oracle did release a security alert advisory that
 fixes a remote code execution vulnerability in Oracle
 PeopleSoft PeopleTools and Oracle PeopleSoft Enterprise
 applications. Apply this patch now because, well, it's
 already being exploited. Apparently Shiny Hunters is
 taking advantage of this vulnerability. The Oracle
 security alert advisory does not note the exploitation, but
 there are a few other sources that link this vulnerability
 to a series of recent exploits. So definitely pay
 attention to this one. In addition to the advisory, I'll
 also link to an article by Bleeping Computers that also
 does talk a little bit about how this particular
 vulnerability is already being exploited. And if you're using
 and or managing Macs, a great article by Huntress about,
 well, current trends in Mac malware. It's certainly out
 there. Now, Mac malware follows a very specific
 pattern that they're talking about here. You're usually
 downloading a DMG file, like for any application that
 you're installing, and then you're just installing this
 application. And the installer then will typically install
 malware in addition to some harmless or do nothing
 application that is being left to basically make the user
 believe that everything went well. Well, a death particular
 pattern happens over and over. And this blog post goes over
 the different techniques that attackers are using here. So
 real good if you have to investigate one of these
 attacks or if you're looking at countermeasures to prevent
 these attacks. Probably the simplest thing you can do is
 just not automatically mount DMGs that you're downloading.
 And then, of course, you can also constrain what software
 could potentially be installed on the system. But more
 details in this blog post. Well, that's it for today. So
 thanks for listening. Thanks for liking and subscribing.
 And thanks, as always, for anybody attending any classes.
 In the show notes at the end, I added now a link kind of to
 classes that I'll teach in the near future. Probably most
 interesting here is Sans Fire coming up, but about sort of a
 little bit over a month from now in mid-July. We have this
 happening in DC. So hope to see some of you there. We also
 have this year again, our Internet Storm Center Command
 Center, where we have Guy and Jesse talk a little bit about
 Internet Storm Center. And then also, of course, talks
 and such around this topic. So thanks and talk to you again
 on Monday. Bye.
 Bye.