Podcast Detail

SANS Stormcast Tuesday, April 21st, 2026: CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9900.mp3

CVE and EPSS; Windows Server 2025 OOB; QEMU Abuse;

00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Handling the CVE Flood With EPSS
https://isc.sans.edu/diary/Handling%20the%20CVE%20Flood%20With%20EPSS/32914

Windows Server 2025 Out of Band Patch
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#4835

QEMU abused to evade detection and enable ransomware delivery
https://www.sophos.com/en-us/blog/qemu-abused-to-evade-detection-and-enable-ransomware-delivery

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Online \| British Summer Time	Jul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, April 21st, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Amsterdam, Netherlands. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Cybersecurity Leadership. Well, I already mentioned that
 we do have this flood of new vulnerabilities that's
 currently sort of hitting the CVE database that has caused
 issues like, for example, NVD no longer being able to really
 provide enrichment for many of the new discovered
 vulnerabilities. So what are some of the alternatives? And
 we do have an option here by Xavier, the EPSS. EPSS stands
 for the Exploit Probability Scoring System. And what it
 attempts to accomplish is to essentially assign a
 probability to a vulnerability to figure out how likely it is
 to actually be exploited, which of course then assists
 you in properly prioritizing this vulnerability. What also
 makes this interesting is that this is a newer system was
 just introduced a few years ago and updated then again
 three years ago. Well, this system developed by FIRST is
 based on an automatic generation of these EPSS
 scores. So that makes it sort of more inherently scalable
 than some of the work that NIST has been doing. So pretty
 interesting number that you can add to your vulnerability
 management process. And to help you out with this, Xavier
 also demonstrated how to automatically use it to enrich
 your data. And as an example, Xavier implemented this
 enrichment in Vazoo. So take a look at the diary and see if
 this is something that may be useful for your vulnerability
 management program. And talking about all the things
 that can go wrong when you are rolling out patches. Well,
 Microsoft this weekend did release an out-of-band patch
 for Server 2025 to address issues that were introduced
 with the security updates released last Tuesday.
 Apparently some subset of Server 2025 installs did enter
 a reboot loop after this patch was installed and for others,
 well, a patch just didn't apply at all. So in this case,
 well, take a look at last weekend's update and you
 probably want to apply that if you're falling into either
 group. The uninstalled patch, of course, particularly tricky
 because that may easily go unnoticed. So any Windows 2025
 user probably should take a look at this particular
 message from Microsoft to figure out you know what group
 you fall into or well, maybe you're one of the lucky ones
 where the patch just applied. Fine. And we've got an
 interesting blog post by Sophos pointing to some late
 developments with the Payout King ransomware. This is not
 new ransomware, but they sort of have some new tricks up
 their sleeve. And one interesting trick I find is
 the use of QEMU. QEMU is an open source virtualization and
 emulation package. So essentially it allows you to
 run a virtual machine by itself. It's not malicious
 software. It's actually quite often used for a lot of good
 purposes. And as such, of course, anti-malware will not
 necessarily flag it. But by running this virtualization
 environment, the attacker is then able to actually run a
 little virtual machine. They're using Alpine, the
 stripped down Linux distribution, on your system
 and hide additional malicious activity inside the virtual
 machine. Just from using virtual machines all day long
 in class, well that often then evades detection because anti
 -malware, well endpoint protection does not cover any
 processes typically happening in a virtual machine, whether
 it's QEMU, VMware or any other virtualization technology.
 Within this virtual machine, the attacker then establishes
 a reverse SH channel in order to then remotely connect to
 the virtual machine. And the virtual machine comes
 preloaded with various attack tools that then can be further
 used to compromise the system or the rest of your network.
 So pretty interesting technique. Definitely watch
 out for QEMU or any virtualization technology that
 may be deployed unapproved within your network. And well,
 flag it as possibly malicious. But again, this is something
 that's often used legitimately. So inventory and
 knowing where it's needed, where it's legitimately used
 is certainly an important task here. Well, that's it for
 today. So thanks again for listening. Thanks for liking
 and subscribing this podcast. And talk to you again
 tomorrow. Bye.