Summary4 min read

SANS Stormcast Summary – March 4, 2026

Host: Johannes B. Ullrich
Episode Theme: Key cyber security updates on CrushFTP password attacks, critical Android zero-day patch, recent OAuth phishing abuse, and urgent Google API key exposure risks.

Episode Overview

Johannes B. Ullrich delivers a concise daily roundup of cybersecurity events shaping the day. This episode zeroes in on:

Widespread attempts to breach CrushFTP via weak default credentials
A critical zero-day patched in Android, already exploited in the wild
New phishing campaigns exploiting OAuth’s legitimate redirects
Renewed warnings about the dangers of exposed Google API keys, especially in the era of Google’s AI offerings

Key Discussion Points & Insights

1. CrushFTP Brute Force (Actually Weak Password Search)

Nature of Attack: Attackers aren’t leveraging a software vulnerability, but are probing for admin accounts using predictable credentials (username: Crush Admin, password: Crush Admin).
- “[Attackers are] just looking for common default passwords. … This is not a vulnerability in CrushFTP. … If you're picking the password Crush Admin, it’s on you. It’s nothing really that CrushFTP did wrong here.” (Johannes, 00:20)
Installation Defaults: During setup, documentation suggests “Crush Admin” as one admin username. No default/recommended password is imposed, leaving the onus on users to choose something secure.
Insight: Product vendors should discourage “stupid passwords” but, ultimately, default credential weaknesses are user mistakes.
Recommendation: Administrators must ensure strong, unique passwords—especially for admin accounts—to prevent trivial compromises.

2. Android Patch Tuesday – Critical Zero-Day

Scope: Google released patches addressing 140 vulnerabilities in Android.
Zero-Day Spotlight: A memory management vulnerability in the Qualcomm display drivers is already exploited in the wild.
- “There is one vulnerability that affects the Qualcomm display drivers … already exploited in the wild. … Make sure that you’re keeping your Android phones updated.” (Johannes, 01:39)
Deployment Caveat: Patch availability depends on device makers/carriers—users may not receive fixes promptly.
Action Item: Users should keep devices updated and be aware of patch delays by manufacturer/carrier.

3. OAuth Phishing Abuse: Exploiting Redirects

Problem Focus: Rather than technical flaws in OAuth itself, attacks exploit user perception and redirect logic.
- “When people talk about OAuth, they often get lost in technical details … but really, one big problem is user perception: how the user perceives all these redirects and prompts.” (Johannes, 02:13)
Attack Method:
- Phishing emails use links pointing to Microsoft’s legitimate OAuth endpoint.
- The crafted OAuth request’s data is invalid, so after authentication fails, OAuth’s standard behavior is to redirect the user to a “redirect URI” (chosen by the attacker).
- That URI is a phishing site, where malware can be downloaded.
- Users are more likely to trust the interaction since the start of the chain is a real Microsoft domain.
  - “Since the user originally clicked on something that was a valid Microsoft link, they are now much more likely to fall for the phishing attack.” (Johannes, 02:45)
Consequence: Classic phishing/malware installs (spyware, credential stealers) result, but with enhanced credibility due to legitimate entry point.
Security Awareness: Users and administrators should scrutinize permission prompts and redirect behaviors, and avoid following links from unsolicited emails—even if seemingly legitimate.

4. Google API Key Exposure – URGENT

Ongoing Issue: Past guidance was that Google API keys weren’t secrets and could be used client-side. With Google AI offerings, this is no longer true.
Financial Risk: Exposed API keys are now actively abused, with incidents of victims incurring “tens of thousands of dollars” in costs.
- “We now have victims that … got stuck with bills of tens of thousands of dollars for exposing their API key.” (Johannes, 03:56)
Mitigation: Double-check public code or configurations for hardcoded or exposed API keys; revoke/invalidate if exposed and follow updated Google guidance on keeping keys secure.
Urgency: This remains a current and expanding threat.

Notable Quotes & Memorable Moments

On default credentials vs. vendor responsibility:
“If you're picking the password Crush Admin, it’s on you. … Maybe they should prevent some really stupid passwords like that.” (Johannes, 00:41)
On Android patch timing:
“Make sure that you’re keeping your Android phones updated, even though it … may take a while for these patches to actually show up for you.” (Johannes, 01:51)
On OAuth phishing:
“The end effect is that the victim is then being tricked into downloading malware from a website that's absolutely not affiliated with Microsoft.” (Johannes, 03:16)
On Google API key misuse:
“Please double check if you are exposing these API keys, either invalidate them or refer to Google’s documentation on how to properly secure.” (Johannes, 04:07)

Timestamps for Important Segments

[00:20] – Introduction to CrushFTP brute force (credential guessing) attacks
[01:39] – Android Patch Tuesday: details and the critical zero-day
[02:13] – OAuth abuse: user perception and new phishing methods
[03:56] – Google API key exposure: high financial risk and urgent advice

Takeaways

Never use default or “stupid” admin credentials on any service—vendors and admins both have a role in this.
Android device users should patch promptly, but recognize patch lags for some devices.
Be vigilant with OAuth authentication flows—redirection can be weaponized by phishers.
Treat all API keys as secrets, especially with new billing implications from AI-enabled APIs.

Stay safe, keep systems updated, reevaluate public code for secrets—and don’t assume that just because a login starts with a real provider’s domain, it’s safe.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, March 4, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida, and this episode is brought to you by the SANS Edu Undergraduate Certificate Program in Applied Cybersecurity. Today's diary is about, well, some brute force attacks against Crush FTP. Actually, not sure if I should even call it a brute force attack. It's really more just looking for common default passwords. However, just want to put a couple things clear here. First of all, this is not a vulnerability in Crush FTP. There have been significant vulnerabilities in the past. This is not one of them. All they're looking for is for users who set up Crush FTP with an admin user of Crush Admin and the password of Crush Admin. I went through the setup of Crush FTP and as you're setting it up, it basically asks you, hey, what is the username you want to use for Crush FTP? For the admin user in the documentation, Crush Admin is one out of a few that they recommend, kind of that you use for a username. However, there is no default or recommended password, so. So really, if you're picking the password Crush Admin, it's on you. It's your mistake. It's nothing really that Crush FTP really did wrong here, other than, well, maybe they should prevent some really stupid passwords like that. And today's also Android patch Tuesday. So with that we got patches from Google for 140 different vulnerabilities. Noteworthy here is one vulnerability that affects the Qualcomm display drivers and this particular vulnerability is already exploited in the wild. And well, it's one of those memory management issues. They have released a patch for it now with this update. So make sure that you're keeping your Android phones updated, even though it, as I always say, may take a while for these patches to actually show up for you, depending on what particular phone you have and what carrier you're using. When people talk about OAuth, they often get lost sort of in some of the little technical details, when not to use proof keys and the like. And while all of this is important, there's really sort of one big problem with OAuth and that's user perception, basically how the user really perceives all these redirects and permissions and prompts and such they're being faced with as they're logging in via OAuth. Microsoft now documented a phishing campaign that takes advantage of some of that confusion. What they're doing is they're basically using the OAuth redirect URL. And what happens here is that the attacker is basically presenting a link as part of phishing email that links to a legitimate Microsoft website, in this case, which is their OAuth endpoint. But of course the rest of the OAuth authentication data is invalid. They do present a redirect URI. And, well, what OAuth does is if it can't make sense of the request, it'll just send you back to the redirect uri, which then is the phishing page. Since the user originally clicked on something that was a valid Microsoft link, they are now much more likely to fall for the phishing attack because they may not necessarily revalidate the URL after all these redirects are done, which of course are usually invisible to the user. So the end effect here is that the victim is then being tricked into downloading malware from a website that's absolutely not affiliated with Microsoft. So your classic sort of malware style phishing attack. And then this malware does install various spyware credentials, dealers, or whatever the attacker came up with in this case. And just a reminder about something that I have covered here, I think last week, and that's Google API keys. It used to be that Google API keys weren't supposed to be secrets and that you could easily include them in JavaScript, in various Android or other apps on the client. That has changed since Google's AI offerings were released. And we now have victims that basically got stuck with bills of tens of thousands of dollars for exposing their API key. So please double check if you are exposing these API keys, either invalidate them or refer to Google's documentation on how to properly secure. But yes, this is an ongoing issue.