Podcast Detail

SANS Stormcast Tuesday, April 7th, 2026: Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9882.mp3

Redirects in Phishing; Internet Bug Bounty Suspended; Bluehammer; Keycloak MFA Bypass

00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

How often are redirects used in phishing in 2026?
https://isc.sans.edu/diary/How%20often%20are%20redirects%20used%20in%20phishing%20in%202026%3F/32870

Hackerone Suspends Internet Bug Bounty
https://hackerone.com/ibb?type=team
https://www.linkedin.com/posts/danielstenberg_hackerone-share-7446667043380076545-RX9b/

Bluehammer Windows 0-day Privilege Escalation
https://github.com/Nightmare-Eclipse/BlueHammer
https://deadeclipse666.blogspot.com/2026/04/public-disclosure.html
https://deepwiki.com/Nightmare-Eclipse/BlueHammer

Keycloak MFA Bypass CVE-2026-3429
https://access.redhat.com/security/cve/cve-2026-3429

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Online \| British Summer Time	Jul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Tuesday, April 7th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Undergraduate Certificate Program in Applied
 Cybersecurity. Jan today followed up on a recent diary
 of mine. In this diary I mentioned that we do see quite
 a few attackers that are scanning our honeypots for
 possible open redirects. There are a couple reasons why they
 may be doing this. And one of the suggestions was that these
 redirects are being used for phishing. And Jan sort of
 followed up on that and looked at recent phishing emails and
 tried to figure out how many of these recent phishing
 emails are using open redirects. So just to be clear
 about this, an open redirect is a bug vulnerability in a
 website that allows an attacker to essentially use
 this website as a conduit in a phishing attack where the user
 is first being sent to the harmless website, which will
 then automatically redirect the user to the actual
 phishing website. This is different from a compromised
 website where an attacker did add a redirect like this to
 the particular website. So these open redirects are
 indeed used quite commonly. Jan found them in about 20 to
 30% roughly of different phishing emails that Jan
 looked at. And of course they're dangerous in so far
 because these websites being used as a redirect here have
 usually a good reputation score, are not malicious, not
 compromised, and with such can often be unused to sort of
 serve as an early first hop in the phishing email chain,
 which does allow it to pass through many email filters.
 And HackerOne has announced last week that they're
 suspending their internet bug bounty. What was special about
 the internet bug bounty was that it was really trying to
 solicit bugs and security vulnerabilities really for
 open source projects. And then the bounty was actually split
 between the hacker who found the vulnerability and the open
 source program. Now, the reason behind that suspension
 is, well, I could have guessed it, that due to AI generated
 bugs, they have a huge increase in the number of
 vulnerabilities being reported. However, the story
 isn't all bad. This is also about many of these
 vulnerabilities being real and being good findings, but it
 just takes more time to basically vet them. And of
 course, then for open source projects to fix these
 vulnerabilities, which is why this program, at least for
 now, is suspended. It's not discontinued. There was a
 related post from the maintainer of Curl. Now, he
 has been very vocal about some of the AI slop he received in
 the past. But according to him, lately, some of the
 vulnerabilities or really issues being reported are real
 and certainly valuable. The problem there is just that
 some of them are really more functional issues and maybe
 nothing that really should be fixed depending on really the
 use case of this fairly unique tool curl, which sometimes is
 supposed to act a little bit different or send some invalid
 HTTP requests. So we'll see where this all goes. But it
 looks like there has been really in the last few months
 a substantial increase in the quality of vulnerabilities
 being reported by AI tools. And talking about bug bounties
 and how they sometimes can go wrong, there was apparently a
 dispute between a researcher and Microsoft about a
 vulnerability in Microsoft Defender. The end result was
 that the researcher has now published an undocumented
 proof of concept to GitHub and basically stated, well, this
 researcher is kind of sick in dealing with Microsoft on
 this. They're just going to make it public because, well,
 basically they gave up waiting for Microsoft to either fix it
 or acknowledge the contribution. Like I said,
 there wasn't really any documentation how the exploit
 really worked. However, since then, a couple other
 researchers have figured out that this particular exploit
 does abuse time of use, time of check or race condition
 issue in Microsoft Defender. And as a result, a normal user
 can either become admin or system. That depends a little
 bit on the platform and people had slightly different results
 here that I saw posted to various social media sites.
 Also, the code as posted was at least initially not fully
 functional, but has since been fixed by these researchers who
 ran it. So it's definitely a valid vulnerability, even
 though not terribly easy to exploit. And yes, just a
 privileged escalation vulnerability. And of course,
 no patch available at this point. And the popular open
 source authentication server Keycloak has released an
 update. Usually I don't talk about moderate severity
 vulnerabilities, but this one is kind of interesting. It
 does allow an attacker to remove a second factor from an
 account that is authenticated via Keycloak. The bug here is
 a vulnerability in the REST API where an attacker can
 essentially send a request and does not actually have to have
 possession of the second factor in order to remove it
 from the account. And of course, an attacker who just
 has username and password could use this to then bypass
 multi-factor authentication. There are a number of other
 vulnerabilities being patches updates. So definitely take it
 serious and do update it. In particular, this vulnerability
 also appears to be relatively easy to exploit. Well, and
 this is it for today. Just a quick note that there will be
 no podcast on Friday this week due to my travel schedule. But
 other than that, I hope you're leaving good reviews in your
 favorite podcast platform and talk to you again tomorrow.
 Bye.