SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
Johannes B. Ullrich
A brief daily summary of what is important in information security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listener input as well as on input received by the SANS Internet Stormcenter. You may submit questions and comments via our contact form at https://isc.sans.edu/contact.html .
Episodes
Mentioned books
12 snips
Feb 26, 2026 • 7min
SANS Stormcast Thursday, February 26th, 2026: CLAIR Model; Cisco SD-WAN 0-Day; Cortex XDR Abuse; OpenSSL Vuln;
A tour of the CLAIR model for mapping critical infrastructure interdependencies. A deep dive into a critical Cisco SD-WAN authentication bypass with real-world exploitation context. Examination of how Cortex XDR live-response can be misused as a covert command channel. Coverage of an OpenSSL stack buffer overflow and how system protections affect exploitability. Discussion of tarpitting techniques to pollute AI training data.
10 snips
Feb 25, 2026 • 7min
SANS Stormcast Wednesday, February 25th, 2026: Open Redirects; setHTML in Firefox; telnetd issues
A surge in scans hunting open redirect flaws and how those redirects fuel phishing and OAuth abuse. Discussion of Firefox 148's setHTML and Sanitizer API replacing innerHTML to curb DOM-based XSS. New telnetd problems where environment variables and writable credential directories enable privilege escalation, plus suggested mitigation strategies.
8 snips
Feb 24, 2026 • 7min
SANS Stormcast Tuesday, February 24th, 2026: Malicious JPEG Analysis; Calibre Vuln; jsPDF object injection; Roundcube Exploited
A breakdown of a malicious JPEG that masked a downloader for Remcos RAT. Analysis of Calibre path traversal flaws that allow arbitrary file write and possible code execution. Examination of a jsPDF addJS object-injection vulnerability. Alert about active exploitation of a Roundcube webmail PHP serialization bug and urgency to patch self-hosted mail systems.
6 snips
Feb 23, 2026 • 7min
SANS Stormcast Monday, February 23rd, 2026: Japanese Phishing; AI Agents Ignoring Instructions; Starkiller MFA Phishing
A rundown of phishing campaigns in Japanese and why multilingual targeting matters. A discussion of AI agents that ignore security policies and the risks when tools act like humans. Coverage of a new Starkiller framework that proxies real login pages to bypass MFA and which authentication methods resist phishing.
10 snips
Feb 20, 2026 • 6min
SANS Stormcast Friday, February 20th, 2026: DynoWiper Analysis; Vibe Passwords; IDE Extension Vulns; Gransstream GXP 1600 Vuln and PoC
Reverse engineering reveals a wiper that uses a simple, unobfuscated PRNG to overwrite files. LLM-generated passwords turn out to be predictable and widely reused. Popular IDE extensions expose local APIs and other attack surfaces to malicious web pages or crafted files. A critical unauthenticated stack buffer overflow in a VoIP phone line could let attackers gain root and pivot inside networks.
14 snips
Feb 19, 2026 • 7min
SANS Stormcast Thursday, February 19th, 2026: Malware Image Resuse; Dell RecoveryPoint; Admin Center Vuln; DNS-PERSIST-01
They discuss tracking malware campaigns by spotting reused image assets across samples. They cover active exploitation of a Dell RecoverPoint zero-day and its fallout. A recent Windows Admin Center privilege elevation fix gets attention. The new DNS-PERSIST-01 validation model and its implications for certificate lifetimes and automation are explained.
10 snips
Feb 18, 2026 • 8min
SANS Stormcast Wednesday, February 18th, 2026: IR Phishing; Neenadu Android Backdoor; NiFi Bugs; LLMs Phishing; Encrypted RCS
A phishing campaign faking incident reports to trick MetaMask users into reset actions. Discovery of an Android firmware backdoor linking multiple botnets and supply-chain risks. An Apache NiFi authorization bug that can expose cloud data pipelines. Research showing LLMs can generate real-time phishing JavaScript. Apple adds end-to-end encrypted RCS but broad adoption remains a hurdle.
8 snips
Feb 17, 2026 • 5min
SANS Stormcast Tuesday, February 17th, 2026: 64Bit Malware; Password Manager Weaknesses; OpenClaw Config Theft;
A rise in 64-bit malware and how researchers tracked the shift using large malware datasets. A comparative look at cloud-synced password managers and risks around remote key storage. An infostealer campaign hunting OpenClaw configuration files to steal API credentials. Discussion of secure storage options and practical limits when sharing authentication data.
8 snips
Feb 16, 2026 • 6min
SANS Stormcast Monday, February 16th, 2026: Graph Generator; nslookup and clickfix; Chrome 0-Day; TURN Threats
Discussion of an AI-powered knowledge graph tool that maps APT indicators and relationships. A DNS-based ClickFix variant that uses nslookup and custom CNAME responses for PowerShell retrieval. A Google Chrome zero-day fix and the importance of timely updates. Security risks from misconfigured TURN servers that can proxy and abuse traffic.
12 snips
Feb 13, 2026 • 6min
SANS Stormcast Friday, February 13th, 2026: SSH Bot; OpenSSH MacOS Change; Abused Employee Monitoring
Analysis of a fast self‑propagating SSH worm and its unusual IRC command-and-control technique. A discussion of OpenSSH changes on macOS and a new quantum-safe algorithm warning for older servers. Coverage of how employee monitoring and remote support tools are being misused to run attacker code. Practical reminders to lock down and monitor remote management systems.
