SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, January 15th, 2026: Luma Streal Repeat Infection; ServiceNow Broken Auth; Starlink/GPS Jamming
4 snips
Jan 15, 2026 Luma Stealer is causing chaos by repeatedly adding scheduled tasks to download malicious payloads. An alarming flaw in ServiceNow, dubbed 'BodySnatcher', exposes the risk of broken authentication due to shared credentials. Meanwhile, in Iran, GPS spoofing has disrupted Starlink services, raising questions about satellite positioning limits. A proposed fix suggests leveraging Starlink satellites for better location accuracy to counteract such interference. Tune in for an insightful analysis of these pressing cybersecurity issues!
AI Snips
Chapters
Transcript
Episode notes
Luma Stealer Keeps Reinfecting
- Johannes Ulrich describes a Luma Stealer variant that exfiltrates data then downloads follow-on payloads from Pastebin.
- The infection repeatedly adds scheduled tasks every 30 minutes, piling up to dozens and increasing execution frequency.
Task Sprawl Suggests Post-Exfiltration Scraping
- Multiple scheduled tasks indicate attackers aim to harvest anything missed after initial exfiltration rather than stay quiet.
- Persistent task creation also lets attackers hand off systems to other groups that may deploy different malware.
Default Credentials, Not AI, Fueled ServiceNow Flaw
- The ServiceNow issue is less an AI flaw and more a basic authentication failure from reused fixed credentials.
- A shared default credential for the virtual agent let attackers authenticate across many installations once discovered.