SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Episodes
Mentioned books
5 snips
Mar 26, 2026 • 7min
SANS Stormcast Thursday, March 26th, 2026: Apple Patches; SmatApeSG Update; Trivy/LiteLLM/TeamPCP Update; Google Accelerates Quantum Save Crypto Rollout
Broad Apple security fixes across iOS, macOS, and watchOS get a quick recap. A malware campaign distributing multiple remote access trojans and credential stealers is profiled. Discussions cover flaws in popular scanners and libraries and the need for better secrets management. Google’s move to speed up quantum-safe cryptography and realistic migration timelines is outlined.
Mar 25, 2026 • 12min
SANS Stormcast Wednesday, March 25th, 2026: IP KVM Usage; TeampPCP, Trivy, liteLLM and More
A deep dive into detecting IP KVM devices and the quirks of device strings to watch for. A breakdown of the Team PCP supply chain compromise that hijacked a popular security scanner and how CI/CD secrets were exposed. Discussion of propagation to other tools, credential exposure via an LLM proxy, a Kubernetes wiper aimed at Iran, and practical mitigations like pinning and secrets management.
Mar 24, 2026 • 6min
SANS Stormcast Tuesday, March 24th, 2026: Tax Scam to EDR Kill; Netscaler Patches; gRPC-Go Authz Bypass;
Tax-season malvertising and fake PDF updaters that trick filers into installing malware. Attackers using vulnerable drivers to disable kernel-mode AV and EDR. Critical Citrix NetScaler/ADC patches for SAML out-of-bounds and a VPN race-condition. A gRPC-Go authorization bypass caused by a missing leading slash in request paths.
Mar 23, 2026 • 6min
SANS Stormcast Monday, March 23rd, 2026: GSocket Backdoor in Bash; Oracle Security Alert; Rockwell Attacks
A breakdown of a bash-delivered GSocket backdoor and how attackers hide and persist access. Discussion of timestamp manipulation and a cron/pkill-zero persistence trick. Coverage of a critical Oracle security alert about Identity Manager and Web Services Manager. Warning about industrial control system risks and advice to disconnect and harden PLCs against rising attacks.
4 snips
Mar 20, 2026 • 6min
SANS Stormcast Friday, March 20th, 2026: Cowrie Strings; MSFT Intune Hardening; Unifi Network Update;
Unusual strings captured in Cowrie honeypots and what they reveal about attacker behavior. A major abuse of Intune prompts concrete hardening advice and practical protections for endpoint management. A UniFi Network security update covers path traversal and NoSQL injection fixes and recommended mitigation steps.
4 snips
Mar 19, 2026 • 6min
SANS Stormcast Thursday, March 19th, 2026: Adminer Scans; Apple WebKit Patch; another telnetd vuln; screenconnect vuln
Widespread scans probing Adminer database admin installations and why attackers enumerate filenames. Discussion of Adminer authentication risks and recommended extra protections. Apple rolling background WebKit security updates. A pre-auth buffer overflow in GNU inetutils telnetd and the importance of patching. Critical hardening for ScreenConnect 26.1 that encrypts exposed machine keys.
4 snips
Mar 18, 2026 • 6min
SANS Stormcast Wednesday, March 18th, 2026: IPv4 mapped IPv6; KVM Vulnerabilities; AWS Bedrock DNS Covert Channel
Discussion of how IPv4-mapped IPv6 addresses work and how tools convert or mishandle them. Examination of widespread security flaws in low-cost IP KVMs and which devices remain unpatched. Exploration of sandboxing challenges for AI agents and a DNS covert channel found in an AWS Bedrock code interpreter.
12 snips
Mar 17, 2026 • 8min
SANS Stormcast Tuesday, March 17th, 2026: Proxy URLs; Local Network Address Restrictions; Advanced Phishing
They discuss proxy URL attacks that trick servers into reaching internal addresses and clever IPv6 and obfuscation tricks attackers use. Security steps for hardening proxies, firewalls and browser local-network restrictions are covered. A sophisticated phishing chain that used open redirects, third-party relays and DKIM weaknesses to evade defenses is also described.
9 snips
Mar 16, 2026 • 6min
SANS Stormcast Monday, March 16th, 2026: SmartApeSG and Remcos RAT; React Based Phishing; Google Chrome Patches; AdGaurd Vuln
A campaign used a ClickFix page to trick users into running commands that deliver Remcos RAT. A React-based phishing site exfiltrated credentials via EmailJS, creating unusual investigative leads. Google released and then revised Chrome zero-day fixes, leaving one patch outstanding. A signed malware distribution targeted VPN clients via fake vendor sites, and AdGuard Home received an authentication fix.
10 snips
Mar 13, 2026 • 5min
SANS Stormcast Friday, March 13th, 2026: IOT Device Discovery; Apple Patches; Veeam Patches
A honeypot reveals widespread IoT devices still logging in with default admin credentials. Apple releases security updates for older iPhones addressing WebKit and kernel bugs tied to real-world spyware. Veeam patches fix critical flaws, including authenticated remote code execution risks. A Splunk preview endpoint bug that can lead to command execution is also discussed.
