Summary3 min read

SANS Stormcast Podcast Summary – April 30, 2026

Host: Johannes B. Ullrich
Episode Focus: Rundown of recent cybersecurity events—odd honeypot requests, active Microsoft LNK vulnerability exploit, Secure Boot certificate expiry, TLS protocol deprecation, and a SAP-related npm package malware alert.

Episode Overview

This episode delivers a concise snapshot of pressing cybersecurity issues affecting organizations and individuals, based on the latest reports to the SANS Internet Storm Center. Johannes B. Ullrich covers fresh insights from honeypot traffic, critical Microsoft vulnerabilities and policies, and a new wave of npm package compromise, emphasizing practical security responses.

Key Discussion Points & Insights

1. Unusual Honeypot Web Requests

[00:22–01:09]

Observation: Two strange web requests recently seen:
- Broadcom API Gateway targeting:
  - Not a straight exploit; likely fingerprinting or early reconnaissance.
- ESP32 devices:
  - Endpoint suggests possible flashing of firmware on ESP32 IoT devices.
Call for Community Input:
Johannes requests listener expertise:

"If anybody has any more experience with either ESP32 or the broadcom API Gateway, let me know if there is more to these particular endpoints..." – Johannes B. Ullrich [00:50]

2. Microsoft LNK Vulnerability Already Exploited

[01:09–02:21]

Background:
Akamai revealed that a Windows LNK file (shortcut) vulnerability fixed in the latest Patch Tuesday was actively exploited prior to Microsoft’s disclosure.
Microsoft’s Response:
Initially, the update didn’t mention exploitation, but Microsoft has since amended its guidance.
Attack Mechanics:
- No need to open the malicious file: Merely viewing the directory triggers vulnerability.
- Impact: Triggers SMB connections leaking credentials, which could be used in further attacks.
- Active Campaign:
  
  "Certainly a bad vulnerability... has been used by Fancy Bear against Ukraine." – Johannes B. Ullrich [01:50]
Patch History:
This is Microsoft’s second attempt at patching the issue.

3. Impending Windows Secure Boot Certificate Expiration

[02:21–03:09]

Nature of Issue:
Certificates issued in 2011 are expiring in June 2026.
Organizational Challenge:
Many struggle to identify where these outdated certificates remain deployed.
Solution:
Microsoft Defender updates now help inventory and locate affected systems, especially critical for large enterprises.

"...many organizations are having a hard time... figuring out where these old certificates are being used and... whether or not they have been updated yet." – Johannes B. Ullrich [02:35]

4. Microsoft Disabling Legacy TLS Protocols for Email

[03:09–03:58]

Action:
From July, Microsoft will retire TLS 1.0 and 1.1 on Exchange, POP3, and IMAP4 connections.
Security Justification:
Forced move to TLS 1.2 or 1.3, as legacy clients are now rare.
Practical Impact:
Essential for users of IMAP4—which remains common—to ensure compatibility.
Anecdote:

"If you're still using POP3, I haven't seen it used in quite a while. IMAP4 is still used quite a bit." – Johannes B. Ullrich [03:45]

5. SAP-Related npm Package Supply Chain Malware

[03:58–04:48]

Discovery:
Third-party npm packages (not official SAP releases) used for SAP integrations found to be malicious.
Technique:
Exploited the "preinstall hook" to execute code on developer systems at install time.
Detection:
Flagged by many supply chain security scanners.
Recommended Read:
Listeners are directed to Step Security’s comprehensive write-up.

"...the standard preinstall hook trick that's being used here to execute code on the developer system as these packages are being installed..." – Johannes B. Ullrich [04:18]

Notable Quotes & Memorable Moments

On the rapid pace of supply chain exploits:

"No podcast episode these days appears to be complete without some kind of supply chain compromise news." – Johannes B. Ullrich [03:58]
On the evolving attacker tactics:

"What makes [the LNK file vulnerability] particular dangerous is that a victim does not actually have to open the file. It's sufficient to just look at a directory that contains the malicious file." – Johannes B. Ullrich [01:34]

Timestamps for Major Segments

[00:22] – Honeypot odd requests (Broadcom API & ESP32).
[01:09] – Microsoft LNK vulnerability; active exploitation discussed.
[02:21] – Windows Secure Boot certificate expiration; Defender’s new inventory feature.
[03:09] – TLS 1.0/1.1 retirement on Exchange/POP3/IMAP4.
[03:58] – SAP-related npm malware supply chain compromise.

Conclusion

Johannes swiftly covers the day’s most urgent cybersecurity topics, urging action for pending Microsoft patching and certificate management, and alerting listeners to new supply chain threats. Practical takeaways include reviewing certificate inventories, ensuring TLS compatibility, and watching for malicious packages in developer environments.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, April 30, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the Sans Edu Bachelor's Degree Program in Applied Cybersecurity. In diaries today, nothing too special, There are two odd web requests that sort of caught my eyes and that came in via our honeypots. The first one is a request that appears to be going after the Broadcom API gateway. Don't think that's an exploit as is. I think this is really more some kind of fingerprinting or reconnaissance scan similar. The second one the second one is going after what I believe according to the URL to be esp32devices. Saw something here that this may be used to like Flash firmware on those devices. If anybody has any more experience with either ESP32 or the prodcomm API Gateway, let me know if there is more to these particular endpoints and whether there could be some kind of attack being performed via just these individual requests. Then we got an update to Microsoft's patch Tuesday this month. This update comes from Akamai in the form of Akamai stating and showing that one of the vulnerabilities being addressed in this month's update has already been exploited before Microsoft actually released the update. This was not indicated in Microsoft's update, so it was not labeled as already exploited. Since then Microsoft has updated its guidance and now also states that this vulnerability is already being exploited or had been exploited before the patch was released. This particular vulnerability is one of those link file vulnerabilities. Now what makes it particular dangerous is that a victim does not actually have to open the file. It's sufficient to just look at a directory that contains the malicious file. And then first of all you have the usual sort of SMB connection outbound that leaks potential credentials and these credentials can then be used against the victim again. So yes, certainly a bad vulnerability has been used by Fancy Bear against Ukraine. Not sure if anywhere else exploitation has been seen before the patch was released. This is also the second attempt Microsoft made to patch this particular vulnerability. And sticking with Microsoft here for another story. Now this one is not really a vulnerability story. Instead it's all about the good old Windows Secure boot certificate and well old is the keyword here. Those boot certificates originally issued in 2011 are going to expire in June of this year. I mentioned this a couple times before and of course many organizations are having a hard time sort of figuring out where these old certificates are being used and well, whether or not they have been updated yet. Well, Microsoft updated Microsoft Defender in order to help users to find any systems that still need these updates. Applied this particular sort of gearing towards enterprise and such, which of course may have thousands of systems that need to be inventoried here and this new feature in Microsoft Defender is supposed to help them well. And third Microsoft story here, another TLS related one or certificate related one. Well this one actually more about using TLS and certificates on the network. Microsoft in July is also going to turn off TLS 1.0 and 1.1 for any exchange, POP3 and IMAP4 connections. So yes, you finally must move up all the way to TLS 1.2 and 1.3. This is actually sort of long overdue and Microsoft has been holding back for good reason because there was still a significant number of clients that for whatever reasons didn't support newer versions of tls. Guess they're now essentially cutting them off. So if you're still using POP3, I haven't seen it used in quite a while. IMAP4 is still used quite a bit. So if you're using either protocol then make sure that whatever client you're using is able to connect via TLS 1213 and no podcast episode these days appears to be complete without some kind of supply chain compromise news. The latest is a set of NPM packages that are related to SAP. Now they're not created by SAP, so they're not official packages in that sense, but they're widely used to interface with SAP. There are a number of security companies that found them. The link I'm going to use is Step Security. They have a pretty comprehensive write up here. But they're not the only ones that sort of wrote up about this compromise. It's the standard preinstall hook trick that's being used here to execute execute code on the developer system as these packages are being installed. So that's probably why many of the supply chain security tools these days will actually flag this as malicious. Well, and this is it for today. Thanks for listening, thanks for liking, thanks for subscribing and as always, talk to you again tomorrow. Bye.