Summary4 min read

SANS Stormcast: Wednesday, May 6th, 2026

Host: Johannes B. Ullrich
Main Theme:
A concise review of three key cybersecurity developments affecting browser password security (Edge), certificate authority updates (SSL.com), and a major supply chain compromise (DAEMONTOOLS).

Key Discussion Points & Insights

1. Microsoft Edge: Cleartext Passwords in Memory

[00:30 – 03:00]

Issue Description:
- Microsoft Edge, like most browsers, encrypts stored passwords on disk.
- However, all saved passwords are decrypted into browser memory as soon as Edge starts—even if the user needs to re-authenticate for individual logins.
- This exposes all credentials in memory during the browser session.
Security Implications:
- On first glance, this seems low risk, since someone needs user-level access to exploit it.
- However, bulk access is possible if an attacker can briefly access the running system:
  - They could dump browser memory and harvest all passwords at once.
- Memory leaks present additional risk, as attackers could exploit leakage to access decrypted credentials.
Industry Perspective:
- Microsoft classified this as "intended behavior" rather than a vulnerability.
- Other browsers manage this process differently, and some third-party password managers have improved security after similar issues.
- Recommendation: Consider third-party password managers for better security diligence and control over password exposure in memory.
Notable Quote:

"It's sort of more a little bit security theater... at first you may say, well it's not really a big deal, because in order to gain access to the memory you have to be logged in as the user... But the big risk here is that an attacker can get bulk access to all of your passwords even with timely, very limited access to your system.”
— Johannes B. Ullrich [01:10]

2. SSL.com Root Certificate Rotation

[03:00 – 05:00]

Background:
- SSL.com, a major commercial Certificate Authority, is rotating their root certificates.
- Ideally, end users shouldn't notice any issues, as these updates are included in standard OS and browser updates.
Practical Considerations:
- In practice, the effect depends on how organizations handle root certificates:
  - Unix systems may maintain multiple CA files.
  - Mutual TLS (mTLS) implementations may pin to specific CAs.
  - Many mobile apps employ certificate pinning.
- If you use SSL.com certificates in a managed infrastructure or in mTLS, double-check:
  - That the rotation doesn't disrupt operations.
  - That new certificates are properly distributed.
Recent Policy Change:
- Public CAs now typically issue certificates for server authentication only; dual-use (client+server) certificates are no longer standard.
- If mutual TLS relies on public CA dual-use certificates, this may cause problems; internal CAs remain preferable for such architectures.
Notable Quote:

"If you're just using them in a browser and not managing any servers using them, then nothing really to worry about."
— Johannes B. Ullrich [04:10]

3. DAEMONTOOLS Supply Chain Compromise

[05:00 – 07:20]

Incident Overview:
- Kaspersky discovered that Windows versions of DAEMONTOOLS, when downloaded from the official website, were backdoored and malicious.
- The installer was signed with a legitimate DAEMONTOOLS certificate, indicating deep compromise of both the website and build infrastructure.
Scope & Risk:
- Unclear if the Mac version is also affected.
- The compromise appears to have lasted about a month.
- Malicious versions called home to a domain ("demontools cc") nearly identical to the official site ("Daemon Tools cc"), likely to evade detection.
Disclosure & Response:
- The DAEMONTOOLS site currently lacks any acknowledgment or visible response to the compromise.
What the Backdoor Does:
- On execution, the installer allows attackers to execute arbitrary commands and install standard information stealers or backdoors.
- Kaspersky’s blog details specific attacker commands observed.
Advice:
- Treat all DAEMONTOOLS downloads from the last month as potentially malicious; systems should be checked and remediated.
Notable Quotes:

"If you're downloading a version of DAEMONTOOLS from the legitimate website, you will receive a malicious version... signed with a legitimate DAEMONTOOLS certificate. So it looks like a complete compromise."
— Johannes B. Ullrich [05:30]

"I would treat them still as malicious. And if you downloaded DAEMONTOOLS for the last month... you have to double check."
— Johannes B. Ullrich [06:30]

Memorable Moments & Final Advice

On Password Security:
“Your best bet still is to go with a third party password manager. Some of them had similar issues in the past, but fixed them…and they tend to be a little bit more detail oriented when it comes to protecting your passwords.”
[02:10]
Regarding Supply Chain Risks:
“Wouldn't be surprised if the Mac version has similar malicious code embedded—hadn’t had a chance to give it a try yet.”
[05:50]
Audience Engagement:
“If there is a particular topic that really helped you, let me know, or if there's a topic where you felt that really just wasted your time, let me know that too.”
[07:30]

Quick Reference: Important Timestamps

00:30 — Edge Passwords in Memory: Threat Model & Risks
02:10 — Third-party Password Manager Recommendation
03:00 — SSL.com Root Rotation: Who Needs to Act
04:30 — Certificate Policy Changes and mTLS
05:00 — DAEMONTOOLS Malware Supply Chain
06:30 — Immediate Mitigation Advice for DAEMONTOOLS Users

Summary:
This episode highlights hidden dangers in browser password management, under-the-hood certificate authority changes key for infrastructure admins, and the ongoing risk and real-world impact of supply chain attacks through a live example (DAEMONTOOLS). Johannes’ practical advice is aimed at both security professionals and IT admins, with a consistent emphasis on following best practices and staying alert to new threats.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, May 6, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Graduate Certificate Program in Industrial Control System Security. Well in diaries today we got two kind of news items from Rob from First, one affects Microsoft Edge. Microsoft Edge manages passwords like all browsers pretty much do these days. And well, it stores passwords in an encrypted file on your system. However, once you start Edge it will load all of these passwords into the browser's memory and decrypt them even though you as a user have to sort of authenticate yourself for each password individually as you use it to put refill these passwords into a website while the passwords are already decrypted in memory. So as Raw points out, this is sort of more a little bit security theater. So what's the threat here? Well, at first you may say, well it's not really a big deal because in order to gain access to the memory you have to be logged in as the user. If you are having all the privileges of the user, you can probably do things like capture keystrokes, load browser extensions and things like this. So you would have access to the passwords as they're being used. But the big risk here is that an attacker can get bulk access to all of your passwords even with timely, very limited access to your system. The other problem of course is that any kind of memory leak and browsers sadly are kind of known for them, could be exploited in order to then gain access to these passwords key given the exact nature of the memory leak, of course. So that's the real risk here. That's why Microsoft probably should do something about it and fixed it even though that they classified it as intended behavior as it was reported to Microsoft. Other browsers you should do is a little bit different and your best bet still is to go with a third party password manager. Some of them had similar issues in the past, but fix them because well after all keeping your password secure, that's of the primary mission of a password manager. So they tend to be a little bit more detail oriented when it comes to protecting your passwords. Second news item here is that Zelle.com, one of the larger commercial certificate authorities, is rotating their root certificates today. Ideally, nobody really should worry about this and should notice it. Typically whenever you update your operating system and such, there are often updated root certificate authority files being loaded into your operating system. However, well, reality is it depends a little bit on how you're managing your root certificates. In particular, in the Unix world there are sometimes several sort of certificate authority files that are on your system. Also, if you're doing things like mutual TLS or such, you may have very specific root certificates. And then in particular in mobile applications, many developers are these days using certificate pinning or at least certificate authority pinning, where they only allow certificates from a specific certificate authority to be used in order to protect themselves from rogue certificate authorities. Or well, attackers are good at social engineering, being able to obtain a certificate to impersonate a particular company. So that's why you probably should double check and make sure how you're using sl.com's certificates, if you're using them at all. Again, if you're just using them in a browser and if not managing any servers using them, then nothing really to worry about. Another little site issue here that's not just SSL.com, remember that certified authorities will now, and I'm talking about public server authorities will no longer issue certificates that are server and client certificate typically only get server certificates. Now this has recently been changed and this in particular an issue if you are doing mutual tls because then, well, if you're using the same certificate for the server as well as client function, well you must have both of these properties set in your certificate. For mutual tls, most people are using internal certificates, particularly if you're using it sort of between containers and such in like a microservices architecture. So again, shouldn't really worry you too much. But if you're using any public server authorities for some externally exposed mutual TLS purposes, then this may be a problem for you. And today's supply chain compromise was found by Kaspersky and does affect Demon Tools. If you're not familiar with Demon Tools, well, the name already sounds a little bit malicious, but it's not. It's a set of usually legitimate tools that can be used to mount various disk images. They exist for Mac and Windows. Kaspersi talks about the Windows version. Not sure if the Mac version got compromised too, but if you're downloading a version of Demon Tools from the legitimate website, you will receive a malicious version of Demon Tools, basically a backdoored one that is also signed with a legitimate Demon Tools certificate. So it looks like a complete compromise of the website and there build architecture. Wouldn't be surprised if the Mac version has similar malicious code embedded. Had had a chance to give it a try yet once you're running the malicious version, it will access a site called demontools cc. Now the legitimate website for Demon Tools is Daemon Tools cc. So very simple here, easy to mix up. And I think what's worse is that according to Kaspersky the website and the tools were compromised for about a I just before recording this went to the Demon Tools website for any kind of notice update. Didn't see anything, but there was also like no news or blog or any sort of page like this where you typically would find a notice like this. So not sure if they're aware, not sure if the tools have been replaced with safe versions at this point I would treat them still as malicious. And if you downloaded Demon Tools for the last month, sorry, you have to double check again, they're just downloading the command and the attacker could have then pretty much executed any command. Kaspersky is documenting in their blog, some of the commands that they have seen and they're basically installs of the usual information stealer backdoors and the like. So nothing too crazy here necessarily. Well basically just your standard malware at this point. Well, that's it for today. Thanks for listening, for liking for commenting on the podcast, and a couple of you also sent a little bit feedback as to what content you would like to see, more or less of what actually helped you. Always really useful. So also in the future if there is a particular topic that really helped you, let me know, or if there's a topic where you felt that really just wasted your time, let me know that too. And I can basically pick different topics. The goal here is really to make this short and impactful and really help you basically have a better day. So thanks and talk to you again tomorrow. Bye.