SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Thursday, March 5th, 2026: XWorm Analysis; Cisco “Secure” Firewall Managmeent Center; LastPass Phishing
15 snips
Mar 5, 2026 Detailed breakdown of an XWorm infection chain, from 7‑zip and JavaScript to a final DLL payload. Discussion of attackers poisoning AI search results to push malicious installers. Coverage of critical Cisco Firewall Management Center flaws and urgency to patch. Review of renewed LastPass phishing campaigns and defenses for password managers.
AI Snips
Chapters
Transcript
Episode notes
XWorm Infection Chain From 7‑Zip To DLL
- XWorm infection began with a phishing email containing a 7‑zip attachment that unpacked to JavaScript.
- Johannes Ulrich describes how the JavaScript ran PowerShell, injected into the .NET compiler, then loaded the XWorm DLL payload.
AI Search Results Are Susceptible To SEO Poisoning
- AI search features are vulnerable to the same SEO poisoning attackers have used against traditional search engines.
- Johannes Ulrich explains Bing's AI redirected searches for an OpenClaw installer to a malicious GitHub hosting Ghost Socks and stealers.
Two CVSS 10 Bugs In Cisco Secure Firewall Management Center
- Cisco released patches including two critical CVSS 10.0 issues in Secure Firewall Management Center: an auth bypass allowing root script execution and an RCE limited to Java execution.
- Johannes Ulrich warns neither was observed exploited yet but are likely easy to weaponize once patches are analyzed.