Summary4 min read

SANS Stormcast Summary – May 19, 2026

Host: Johannes B. Ullrich
Main Theme:
A concise rundown of the latest cyber security developments focusing on SSH-based malware updating to new libraries, a critical Exchange Server 0-day under active exploitation, an important Microsoft Authenticator security update, and a new Linux kernel vulnerability.

1. Evolving SSH Bot Malware Adopts New libssh Library

[00:25 – 02:00]

Topic Overview:
- Intern diary by Gokul Prema Tangawell analyzes persistent SSH brute-force bots.
- These bots commonly brute-force SSH credentials, then install malicious authorized_keys to create persistent backdoors.
- The report notes a shift in the malware's tooling: attackers are now using an updated libssh library.
Key Insights:
- “The one thing that Gokul here is looking at is a very well established key chain of these SH bots that always is leaving behind the same authorized keys files…” (Johannes B. Ullrich, 00:29)
- Indicators of compromise (IoC) often include hash values associated with specific malware variants. Attackers' switch to new libssh alters these hashes, challenging existing detection tactics.
Practical Takeaway:
- “Don't be too specific on your indicators of compromise… if you're seeing a lot of outbound SH connection, there is a good chance that you have a system in your network that is attempting to infect others via ssh.” (Johannes B. Ullrich, 01:10)
- Recommend broadening detection to abnormal SSH activity—don’t rely only on known malware hashes.

2. Microsoft Exchange Server 0-Day Cross-Site Scripting Vulnerability

[02:00 – 04:00]

Topic Overview:
- Microsoft disclosed an unpatched cross-site scripting (XSS) vulnerability in Exchange Server (2016, 2019, and subscription editions).
- Vulnerability is actively exploited via Outlook Web Access (OWA).
Key Insights:
- “Given that it's running in Exchange and basically exposed via Outlook web access, there's quite a bit of damage that an attacker could do by exploiting this cross site scripting vulnerability.” (Johannes B. Ullrich, 02:28)
- Microsoft has released a workaround for supported versions that is effective if recent Exchange updates are applied.
- Applying the workaround may cause minor problems, particularly with calendar functions, but these are “less severe than getting exploited with a cross site scripting exploit.” (Johannes B. Ullrich, 03:30)
Practical Takeaway:
- Administrators should apply the workaround immediately even if minor functionality issues arise, prioritizing prevention of ongoing in-the-wild exploitation.
- Monitor Microsoft’s evolving documentation for updates.

3. Microsoft Authenticator Update for iOS and Android

[04:00 – 05:00]

Topic Overview:
- Microsoft has issued a security update for its Authenticator apps fixing a vulnerability in the authentication token process.
Attack Flow:
- “An attacker could gain access to the authentication token being submitted by Microsoft Authenticator. In order to exploit this vulnerability, an attack would have to essentially direct you to a website, then interact with the website. You'll see a popup on your authenticator asking you essentially to approve the login and the attacker would then get access to the token.” (Johannes B. Ullrich, 04:12)
Key Insights:
- Exploit requires user interaction and social engineering.
- “Not a lot of details out there yet and nothing being exploited yet on Android and iOS.” (Johannes B. Ullrich, 04:44)
- Applications on both platforms should auto-update to remediate.

4. New Linux Privilege Escalation Flaw

[05:00 – 06:00]

Topic Overview:
- Recent privilege escalation vulnerability affects Linux; could expose private SSH keys and /etc/shadow.
Key Insights:
- “This one in particular allows also access to private SH keys on the server as well as to the etc shadow file. Now the server SH keys typically don’t allow you to actually log into the server, but they allow you to impersonate the server.” (Johannes B. Ullrich, 05:30)
- Important to patch and reboot after applying kernel updates.

5. Notable Quotes & Memorable Moments

“Don’t be too specific on your indicators of compromise... There is a good chance that you have a system in your network that is attempting to infect others via ssh.” (01:10)
“Issues [with the Exchange workaround] sound less severe... than getting exploited with a cross site scripting exploit here.” (03:30)
“To all the Linux users that are smirking here about the Microsoft and Windows flaws, there’s also a new privilege escalation vulnerability for Linux to worry about.” (05:07)

6. Takeaways & Recommendations

Broaden network monitoring for SSH anomalies, not just known malware hashes.
Apply Exchange Server workarounds immediately; keep up with Microsoft’s advisories.
Ensure Microsoft Authenticator apps update automatically on both iOS and Android.
Linux admins should patch and reboot promptly for kernel vulnerabilities.

For more details or to read contributors’ diaries, visit SANS Internet Storm Center.

(Summary excludes ads, intros, and outros as per guidelines.)

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, May 19, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. This episode is brought to you by the SANS EDU Graduate Certificate Program in Cybersecurity Leadership. Let's start out today with today's diary. And that comes again from one of our SANS undergr that interns Gokul Prema Tangawell wrote this particular diary about. Well the ever present SSH bots. Bots that are brute forcing usernames and passwords for SSH and then they often install modified authorized keys files which of course then act as a backdoor for the attacker. Now the one thing that Gokol here is looking at is a very well established key chain of these SH bots that always is leaving behind the same authorized keys files. That's sort of one of the indicators of compromise here. But Gokul notes some subtle modification to the binary being used to do the scanning in that it updated to a new libssh. Libsh is the base library that implements ssh. And then we also have these hash values. Now hash is written here with two S's, basically hash which basically identifies the SH connection details and with that often identifies the malware but that now changed with the switch to the new lib ssh. And well, what this really means is don't be too specific on your indicators of compromise. If you're seeing a lot of outbound SH connection, there is a good chance that you have a system in your network that is attempting to infect others via ssh. No matter whether or not this particular hash is present in the connections or whether, well, it's not present and often goes undetected as pointed out in this diary. And late last week Microsoft disclosed a new unpatched vulnerability in Exchange Server affecting Exchange Server 201619 as well as the current subscription edition. Well, this is a cross site scripting vulnerability, but given that it's running in Exchange and then basically exposed via Outlook web access, there's quite a bit of damage an attacker could do by exploiting this cross site scripting vulnerability. Always an issue with cross site scripting in webmail clients like Outlook Web access and as a result, well, definitely something that you want to address in particular since the reason that Microsoft, Microsoft sort of came forward and made this issue public is that it's already being exploited in the public. Now Microsoft did publish a workaround and you can apply this workaround if your version of Exchange is reasonably up to date. So even for the older versions like 2016 you can apply it. You just must have applied some of the more recent updates to Exchange Server 2016 and this will block exploitation. This is not a patch yet and it apparently does have a couple of issues. And again refer to Microsoft's write up on it because that's something they have been adding to over the last couple days in particular apparently with the calendar functionality like running calendars and such may have some problems here after you apply the workaround, but take a look at it. To me they sound less severe these issues than getting exploited with a cross site scripting exploit here and Microsoft also late last week did release an update for Microsoft authenticator for iOS as well as for Android. This particular update fixes a vulnerability where an attacker could gain access to the authentication token being submitted by Microsoft Authenticator. In order to exploit this vulnerability, an attack would have to essentially direct you to a website, then interact with the website. You'll see a pop up on your authenticator asking you essentially to approve the login and the attacker would then get access to the token that would allow the attacker to essentially bypass Microsoft Authenticator based two factor authentication. Something interesting vulnerability. Like I said, not a lot of details out there yet and nothing being exploited yet ON Android and iOS. The application application should automatically update. Well, to all the Linux users that are smirking here about the Microsoft and Windows flaws, there's also a new privilege escalation vulnerability for Linux to worry about. This one in particular allows also access to private SH keys on the server as well as to the etc shadow file. Now the server SH keys typically don't allow you to actually log into the server, but they allow you to impersonate the server. So still something that you want to take care of and make sure that your Linux system is again properly patched and of course rebooted as for most kernel patches like this. And that's it for today. Thanks for listening, thanks for liking, thanks for recommending this podcast and talk to you again tomorrow. Bye.