Podcast Detail

SANS Stormcast Thursday, April 30th, 2026: Odd Requests; MSFT LNK Bug Exploited; Secure Boot Fix; TLS Updates; SAP npm malware

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9912.mp3

previous
Podcast Logo
Odd Requests; MSFT LNK Bug Exploited; Secure Boot Fix; TLS Updates; SAP npm malware
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesOnline | British Summer TimeJul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and MicroservicesLas VegasSep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Thursday, April 30th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Bachelor's Degree Program in Applied
 Cybersecurity. In Diaries today, nothing too special.
 There are two odd web requests that sort of caught my eyes
 and that came in via our honeypots. The first one is a
 request that appears to be going after the Broadcom API
 Gateway. Don't think that's an exploit as is. I think there's
 really more some kind of fingerprinting or
 reconnaissance scan. Similar, the second one. The second one
 is going after what I believe according to the URL to be
 ESP32 devices. Saw something here that this may be used to
 like flash firmware on those devices. If anybody has any
 more experience with either ESP32 or the Broadcom API
 Gateway, let me know if there is more to these particular
 endpoints and whether there could be some kind of attack
 being performed via just these individual requests. And then
 we got an update to Microsoft's Patch Tuesday this
 month. This update comes from Akamai. In the form of Akamai
 stating and showing that one of the vulnerabilities being
 addressed in this month's update has already been
 exploited before Microsoft actually released the update.
 This was not indicated in Microsoft's update so it was
 not labeled as already exploited. Since then
 Microsoft has updated its guidance and now also states
 that this vulnerability is already being exploited or had
 been exploited before the patch was released. This
 particular vulnerability is one of those link file
 vulnerabilities. Now what makes it particularly
 dangerous is that a victim does not actually have to open
 the file. It's sufficient to just look at a directory that
 contains the malicious file and then first of all you have
 the usual sort of SMB connection outbound that leaks
 potential credentials and these credentials can then be
 used against the victim again. So yes, certainly a bad
 vulnerability has been used by Fancy Bear against Ukraine.
 Not sure if anywhere else exploitation has been seen
 before the patch was released. This is also the second
 attempt Microsoft made to patch this particular
 vulnerability. And sticking with Microsoft here for
 another story. Now this one is not really a vulnerability
 story. Instead it's well about the good old Windows Secure
 Boot Certificate and well old is the keyword here. Those
 boot certificates originally issued in 2011 are going to
 expire in June of this year. I mentioned this a couple times
 before. And of course many organizations are having a
 hard time sort of figuring out where these old certificates
 are being used. And well whether or not they have been
 updated yet. Well a Microsoft updated Microsoft Defender in
 order to help users to find any systems that still need
 these updates applied. This particular sort of gearing
 towards enterprise and such which of course they may have
 thousands of systems that need to be inventoried here. And
 this new feature in Microsoft Defender is supposed to help
 them. Well and third Microsoft story here. Another TLS
 related one or certificate related one. Well this one
 actually more about using TLS and certificates on the
 network. Microsoft in July is also going to turn off TLS 1.0
 and 1.1 for any Exchange POP3 and IMAP4 connections. So yes
 you finally must move up all the way to TLS 1.2 and 1.3.
 This is actually sort of long overdue and Microsoft has been
 holding back for good reason. Because there was still a
 significant number of clients that for whatever reasons
 didn't support newer versions of TLS. Guess they're now
 essentially cutting them off. So if you're still using
 particular POP3 I haven't seen it used in quite a while.
 IMAP4 still used quite a bit. So if you're using either
 protocol then make sure that whatever client you're using
 is able to connect via TLS 1.2 or 1.3. And no podcast episode
 these days appears to be complete without some kind of
 supply chain compromise news. The latest is a set of NPM
 packages that are related to SAP. Now they're not created
 by SAP so they're not official packages in that sense. But
 they're widely used to interface with SAP. There are
 a number of security companies that found them. The link I'm
 going to use is Step Security. They have a pretty
 comprehensive write-up here. But they're not the only ones
 that sort of wrote up about this compromise. It's the
 standard brainstorm hook trick that's being used here to
 execute code on the developer system as these packages are
 being installed. So that's probably why many of the
 supply chain security tools these days will actually flag
 this as malicious. Well and this is it for today. Thanks
 for listening. Thanks for liking. Thanks for
 subscribing. And as always talk to you again tomorrow.
 Bye.