SANS Stormcast Tuesday, March 24th, 2026: Tax Scam to EDR Kill; Netscaler Patches; gRPC-Go Authz Bypass; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast – March 24, 2026

Host: Johannes B. Ullrich
Episode Theme: Key Cybersecurity Threats and Patches — From Sophisticated Tax Scams to Critical Vulnerabilities
Duration: ~5 Minutes

Episode Overview

In this episode, Johannes B. Ullrich covers late-breaking cybersecurity news and critical updates relevant for IT professionals and defenders. Highlights include a new wave of sophisticated tax scams exploiting Google Ads, significant vulnerabilities in Citrix Netscaler products, a dangerous authorization bypass in Go’s gRPC library, and a brief success story about AI-aided security code reviews. Listeners get actionable takeaways around patching and threat awareness as tax season approaches.

Key Discussion Points & Insights

1. AI for Security Reviews – A Recent Success

[00:18] Johannes begins by spotlighting an internal win: Jim, a SANS contributor, used AI (Claude Cote) to review his open-source security tools.
- Findings included:
  - Header injection vulnerabilities in a mail analyzer
  - Time-of-check-time-of-use (TOCTOU) bugs of a more subtle variety
- Action Item: Users should update Jim’s forensics/reverse analysis tools on GitHub, as all necessary patches have been released.

"Jim has published numerous different forensics and reverse analysis tools ... he had it now security reviewed by Claude Cote and has actually found a number of interesting vulnerabilities … please update. All the patches have been released."
— Johannes B. Ullrich [00:18]

2. Tax Season Scams Escalate in Sophistication

[01:00] As the April 15th U.S. tax deadline nears, scams are on the rise.
- Tactics observed:
  - Fake Google Ads (real ads leading to malicious downloads)
  - “Helpful” tools such as PDF fillers, advertised for tax prep but loaded with malware
  - Redirects to fake browser updates
- New development: Attackers are now exploiting vulnerable software drivers to disable endpoint protection (EDR).
  - This use of “bring your own vulnerable driver” exploits marks a jump in complexity compared to earlier years.

"Fake Google Ads ... are leading to malicious or fake products. These products are like PDF fillers ... Also some attacks are redirecting users to fake browser updates. ... Including bring your own vulnerable driver exploits, which basically means they have the ability to kill endpoint protection software. So definitely a little bit of an escalation in the sophistication of the malware seen around these tax scams."
— Johannes B. Ullrich [01:20]

3. Critical Citrix Netscaler Patches Released

[02:22] Citrix has published updates for Netscaler ADC and Netscaler Gateway, often security flashpoints due to their sensitive connectivity roles.
- Vulnerability 1 (CVSS 9.3):
  - Out-of-bounds read in SAML identity provider configuration
  - No authentication required to exploit
  - Potential risk for memory leaks; could accidentally expose SAML assertions to unauthorized parties
- Vulnerability 2 (CVSS 7.7):
  - Race condition when configured as a VPN, may mix up user sessions
  - Considered less critical and harder to exploit, given the general complexity of race conditions

"The latest update ... is one, I think, that particular sort of concerns me. And this is an out-of-bounds read. It does not require any authentication to be exploited ... It does affect the SAML component; there's certainly a chance maybe assertions being sent to another user can be retrieved here."
— Johannes B. Ullrich [02:28]

4. gRPC-Go Authorization Bypass Vulnerability

[03:29] A new vulnerability in Go’s gRPC server library:
- Relates to handling of HTTP/2 path headers (should start with a slash, but Go accepts paths that don’t)
- This mismatch can cause authorization controls to be bypassed, as access rules expect leading slashes.
- Likely easy to exploit in many instances.
- Action Item: Immediate updates strongly recommended for projects using gRPC-Go.

"This then leads to authorization bypass and certainly an interesting vulnerability, something that's probably easy to exploit in many cases. And yes, if you are using GRPC Go, definitely make sure that you update your application quickly."
— Johannes B. Ullrich [03:50]

Notable Quotes & Memorable Moments

On Tax Scam Malware Sophistication:

"They're not just simple … download some software and steal some information … They're also including bring-your-own-vulnerable-driver exploits, which basically means that they have the ability to kill endpoint protection software."
— Johannes B. Ullrich [01:25]
On the Criticality of Citrix Patch:

"I think that particularly sort of concerns me ... does not require any authentication to be exploited … CVSS score of 9.3."
— Johannes B. Ullrich [02:28]
On gRPC-Go Authz Bypass:

"Now you have sort of a disconnect between what is actually being served and what access control rules are considering the valid path. This then leads to authorization bypass."
— Johannes B. Ullrich [03:36]

Important Timestamps

| Segment | Timestamp | |--------------------------------------------|:----------:| | AI security review of open-source tools | 00:18 | | Tax season scam trends and techniques | 01:00 | | Fake PDF fillers & driver-based malware | 01:20 | | Citrix Netscaler ADC/Gateway patches | 02:22 | | Critical out-of-bounds read (Citrix) | 02:28 | | Less critical VPN race condition (Citrix) | 02:54 | | gRPC-Go path header authz bypass | 03:29 | | Call to update gRPC-Go applications | 03:50 |

Summary & Takeaways

Stay alert during tax season for scams leveraging real Google Ads, and never download tax tools from unverified sources.
Patch Citrix Netscaler ADC/Gateway ASAP—particularly if you use SAML identity provider setups.
Update gRPC-Go applications promptly to prevent potential security breaches due to authorization bypass.
Leverage AI for code security reviews: Success stories are emerging, and prompt patching pays off.

"Thanks to all who tell me when I miss a particular vulnerability ... any feedback like this is always welcome."
— Johannes B. Ullrich [04:46]

For more details or to report additional vulnerabilities, contact the SANS Internet Storm Center at https://isc.sans.edu/contact.html.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, March 24, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today in Jacksonville, Florida and this episode is brought to you by the Sans Edu graduate Certificate program in Cyber Defense Operations. Well, in diaries today, Jim today has another win for allowing AI to do security reviews of your code. Jim has published numerous different forensics and reverse analysis tools as part of his GitHub repo. Well, he had it now security reviewed by Claude Cote and has actually found a number of interesting vulnerabilities, some little bits of standard like for example in his mail analyzer there was sort of a header injection issue. It was kind of interesting but also some a little more subtle ones like for example time of check and time of use vulnerabilities. Well, if you're using any of Jim's tool, please update. All the patches have been released to the GitHub repo. Let's start today a little bit with an awareness item. And while we are coming up here in the United States on the tax filing season, the deadline is April 15th and with that there's always an increase in scams attempting people to download software or reveal their information to websites claiming to be associated with tax filings. Well, this year, according to Huntress, there is one particular trick that they're seeing and that's basically fake Google Ads. So. Well, the Google Ads are actually real, but they're leading to malicious or fake products. And these products are like PDF fillers and things like that that may come handy if you're trying to fill out a tax form. Also some of these attacks are then redirecting users to fake browser updates. But what I found interesting is that they're not just simple, well, you know, let's download some software and steal some information or some basic phishing as we have seen in the past. But they're also including bring you on vulnerable driver exploits, which basically means that they have the ability to kill endpoint protection software. So definitely a little bit of an escalation in the sophistication of the malware seen around these tag scams. Well, and then we have a couple of patches to talk about today. First of all, Citrix released updates for netscaler ADC and netscaler Gateway. Well, these products have often been a little bit problematic when it comes to security and the latest update is one, I think that particular sort of concerns me. And this is an out of bounds read. It does not require any authentication to be exploited. However, it does require that CITRIX ADC or Citrix Gateway is configured as a SAML identity provider. They don't really go into details what you could do with an out of bounds read, but typically there is some kind of memory leak and given that this it does affect the SAML component, there's certainly a chance that maybe assertions being sent to another user or so can be retrieved here. And again this does not require any authentication css score of 9.3 the second vulnerability does require that the appliance is configured as a VPN. It's not really that critical in my opinion. Also CVSS score only 7.7. It's a race condition where user sessions could be mixed up. Race conditions tend to be tricky to exploit. And again no detail here how difficult this exploit may be in this particular case. And then we got an interesting vulnerability in Go in particular in the Golang GRPC Go server. So this allows you to basically implement APIs in Go. Now when you're using HP2 the URL is not transmitted as sort of an HTTP 1.1 with sort of the start line. Instead there is a special path header that is being used as part of the URL and that path header should start with a slash. Well, turns out that GO is not really all that picky and does accept paths that don't start with a slash. It still maps them correctly. But now you have sort of a disconnect between what is actually then being served and what access control rules are considering the valid path. So this then lead to authorization bypass and certainly an interesting vulnerability, something that's probably easy to exploit in many cases. And yes, if you are using GRPC Go, definitely make sure that you update your application quickly. Well, and that's it for today. Thanks for listening, thanks for liking and special thanks to all of those who ever sort of tell me, well I missed a particular vulnerability that I should have covered or I well covered one that really was not important. So any feedback like this is always welcome and talk to you again tomorrow. Bye.