Handler on Duty: Xavier Mertens
Threat Level: green
Podcast Detail
SANS Stormcast Monday, June 8th, 2026: Wetransfer Phish; Spying Smart TV; Dashlane Brute Force
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9962.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
The Evil MSI Background is Back!
https://isc.sans.edu/diary/The%20Evil%20MSI%20Background%20is%20Back!/33054
The Smart TV in Your LivingRoom Is a Node in the AIScraping Economy
https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/
Brute force attack on Dashlane user accounts
https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts#update-jun-4
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 27th - Jul 2nd 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 27th - Jul 2nd 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Monday June 8, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu graduate certificate program in cybersecurity engineering. Xavier this weekend wrote up another interesting piece of malware. This one originally starts out with a phishing email claiming to come from WeTransfer. Well actually the interesting part here is WeTransfer being the legitimate free file transfer service. The link in the email is actually a legitimate WeTransfer link only that it well goes to the next stage of the downloader which happens to be JavaScript and then this JavaScript is being used to execute powershell commands and that'll end you up with an image that looks just like an MSI wallpaper. So they're trying to hide in this generic relatively well-known brand. So that way someone may not notice the Base64 encoded script being appended to the end of the image. It's Base64 encoded, but slightly obfuscated, so it's not easily recognizable at least by automated scripts as Base64 encoded. So that's another layer of obfuscation here which then in the end gets you the ultimate malware downloader. Xavier promised a second diary with a more detailed analysis of just that downloader. But the lesson here well, you know these free services are heavily abused being abused like WeTransfer. They are also taking advantage of some of the cloudflare resources here like their .dev links in order to link to additional files. All of these are legitimate service services that you can't outright block because they're often used in applications and as such well best you can probably do is pay attention to them. Things like WeTransfer. I'm not sure how often this is used in a corporate environment but definitely something that you keep an eye on and maybe you can block it in if they're not legitimately used in your environment. These cloudflare .dev links are definitely used by developers so that's definitely something to be aware of and again don't just simply block them. And include security. Publish an interesting blog post demonstrating how many applications that you can load in smart tvs are being abused to use said smart tvs as a proxy. There is a company that actually has made this into a business. They're selling an API to both confine legitimately launchical ownsterreich into a or other она, Elon, the понравisies. So GU fric dashboard recently dalei on and MADs montanera, тем he's talking about he impress as an agent and AMS reminder for his experience there. One of the Apple IP addresses released also connected to their network and one of their main customers is AI companies that are looking for ways to basically steal more copyrighted data many of the IP addresses originate from data centers and such are being filtered by for example Cloudflare that enables some AI scraping filtering but using home IP addresses of course bypasses many of these filters and that of course particularly with such a large number of IP addresses makes it pretty easy for bright data to spread out their spidering and scraping to be harder to detect. Now what included security here found is that there are a number of specific domains being used here so as part of blog post they do publish the host names being used that you can easily block with DNS. This of course is something that may be subject to change in the future in particular after a relatively high profile blog post like this so something to really keep an eye on. There are some versions of this SDK for iOS as well so mobile devices may be affected by this as well but the main target appears to be TVs because well you know they're always connected internet typically they're always connected to power as include security says and as a result they make it pretty easy to then using them as a proxy. Also the software from bright data only kicks in once the device is idle in order also to be essentially less detectable and also less disturbing to the user which of course may make them disable any software like this if it causes effects to their TV viewing or browsing experience. And Dashlane published an update on its investigation into a recent brute force attack and what they stated that a relatively small number of walls like about 20 got actually leaked in this particular attack. Now these are encrypted password walls so the attacker still needs to then brute force whatever master key was used to protect the particular wall. The issue that Dashlane was running into is that in order to add a new device to sync with your Dashlane account someone needs to essentially respond to a six digit challenge. Well six digits it's basically a one in one million chance of getting it right so if you're trying often enough you'll get a couple of accounts and that apparently is exactly what happened here. Now they promised additional security measures here they don't really state exactly what they are but I could imagine some kind of global rate limits or such to essentially slow down brute forcing across multiple accounts coming from different IP addresses because that's sort of obviously a challenge when it comes to preventing these kind of brute force attacks. Maybe also limiting the number of attempts that they're allowing for a particular account within a particular time frame in order to further slow down the attack. As a user of these password managers the biggest problem here is that their economy really depends on cloud sync features and as long as they offer ways to synchronize devices via the cloud instead of some kind of private system. Well they will end up with having to defend authentication to these cloud APIs and that's not easy and that's just the latest example of a weakness in these defenses against these public APIs. Well and this is it for today so thanks for listening thanks for liking thanks for subscribing and yeah if you have any feedback please let me know and talk to you again tomorrow bye
Keep yourself informed with our aggregate InfoSec news
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 