SANS Stormcast Thursday, April 2nd, 2026: Script Removing ADS/MotW; Google Chrome 0-Day; iOS/iPadOS 18 Update;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9876.mp3

previous

Script Removing ADS/MotW; Google Chrome 0-Day; iOS/iPadOS 18 Update;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Thursday, April 2nd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from Orlando,
 Florida. And this episode is brought to you by the SANS.edu
 Graduate Certificate Program in Industrial Control Systems
 Security. And Xavier today looked at an interesting
 malicious script that in order to obtain persistence did
 write a file to the file system, but then removed the
 zone identifier from the file. I've talked about this quite
 often already, the mark of the web. That appears to be the
 intent here. The zone identifier is an alternate
 data stream in Windows that is used to mark a file that was
 downloaded from the internet. And of course, in instant
 response, if you're looking for suspicious files, that's
 an often an indicator that an analyst may be looking for. So
 by removing this indicator, using a quick PowerShell
 command, the attacker is decreasing the chance of the
 file being discovered. And Google released updates for
 Google Chrome. This update fixes 21 different
 vulnerabilities. One of these vulnerabilities is already
 being exploited. The exploited vulnerability is a use after
 free vulnerability in Dawn. Dawn is the component in
 Google Chrome that implements WebGPU. So that's the
 component that is being attacked here. And not the
 first time that we had a critical vulnerability in
 Dawn. And Apple has done it again. Apple has released
 another operating system update for iOS 18. We are now
 up to iOS 18.7.7 as well as iPadOS 18.7.7. The trigger for
 this update was yet again, the Dark Sword attack. This is an
 attack that uses vulnerabilities that used to
 be more the domain of, well, more sort of state-sponsored
 malware, but now is more widely used. And it can be
 found on various websites that then affect these vulnerable
 devices. Since in particular, these older devices don't have
 some of the more modern countermeasures. Well, they're
 particularly vulnerable to these types of exploits. This
 update does not just fix vulnerabilities that are part
 of the Dark Sword exploit kit, but fixes a total of 25
 different vulnerabilities. So certainly worthwhile updating.
 And yes, this goes all the way back to the iPhone XR, which
 was released approximately 10 years ago. And ASUS fixed a
 cross-site request forgery vulnerability in its routers.
 We actually just talked about this type of vulnerability and
 routers in class yesterday, because one place where these
 cross-site request forgery vulnerabilities are routinely
 being exploited is these type of home routers. Because,
 well, there are plenty of them out there. And so placing an
 exploit like this on a random website may yield results in
 catching a couple of vulnerable or badly configured
 routers. Using this vulnerability and attacker is
 able to essentially reconfigure your router
 without the user actually noticing anything bad
 happening. Well, and that's it for today. Thanks for
 listening. Thanks for subscribing. Thanks for liking
 this podcast. And any comments, as always, are more
 than welcome. And talk to you again tomorrow. Bye.