Podcast Detail

SANS Stormcast Friday, February 20th, 2026: DynoWiper Analysis; Vibe Passwords; IDE Extension Vulns; Gransstream GXP 1600 Vuln and PoC

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9818.mp3

previous
Podcast Logo
DynoWiper Analysis; Vibe Passwords; IDE Extension Vulns; Gransstream GXP 1600 Vuln and PoC
00:00

Podcast Transcript

 Hello and welcome to the Friday, February 20th, 2026
 edition of the SANS Internet Storm Center's
 Stormcast. My name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the sans.edu graduate certificate program in
 incident response. Today's diary is from one of our
 science.edu graduates, and in this diary, John Muthers is
 talking about DynoWiper. DynoWiper was recently in the
 news for being found attacking various power plants in
 Poland. It's a wiper, so what wipers usually do is they just
 delete data. They're sometimes claiming to be ransomware, but
 their real goal is just to disrupt the systems. And John
 is going into detail here how to reverse analyze this
 particular sample and, well, what he learned from it. So in
 this particular case, it actually turned out that the
 malware wasn't really all that complex, even though it was
 attributed to a nation state actor. But, well, you know,
 whatever works. It's not that just because the nation state
 actor that we have some super complex malware. In this case,
 it's not really obfuscated, which of course makes analysis
 fairly easy. It just uses then a pseudo-random number
 generator in order to create essentially noise that's being
 used to overwrite files. More details you can see in John's
 diary and also some of the tools and the sort of other
 findings that he came across as he was looking at this
 particular sample. And with the next story, well, I'm
 including it because, well, I'm surprised that anybody
 would actually even think of this. And that's using LLMs to
 generate passwords. Security company Irregular looked at
 that and basically asked various LLMs to create
 passwords that sort of matched certain requirements, like
 upper lowercase special characters and such. And what
 came back looked like a reasonable password. But when
 they redid the test, well, they ended up often with
 exactly the same password again, which sort of makes
 sense. And that's really one problem with LLMs that their
 output is deterministic, at least to some extent, whatever
 randomness, noise, temperature is sort of being added to the
 output is usually in no ways meant to be cryptographically
 random and sometimes actually specifically not meant to be
 completely random. Back in the day, and well, as far as AI is
 concerned, it was sort of a month or so ago, people were
 also experimenting by just asking LLMs to produce a
 random number, which even across different LLMs often
 ended up with the same number that they preferred for
 whatever reason. So no surprise here. But, and that's
 the other part here of Irregular's finding, some of
 the passwords that these LLMs commonly suggest have been
 found in the wild. So people are definitely doing it using
 LLMs in this bad way. And well, what you're ending up
 with is interesting passwords that you will likely find
 across different users. Well, in the past, I've often talked
 about malicious extensions for IDs like Visual Studio Code.
 The story I have here from Ox Research is not about
 malicious extensions, but vulnerable extensions. And one
 sort of common denominator here is that some of these
 extensions are setting up an HTTP API on localhost, and
 they're not properly protecting it against any
 requests being sent by JavaScript from a third-party
 website. So the issue here is that a developer who is
 running Visual Studio Code has the extension loaded, is
 visiting a malicious website, and then as a result, this
 malicious website now has access to the extension, and
 with that access to the developer's code. So this is
 not easily sort of prevented and likely the four extensions
 that they have here are really such as the tip of the
 iceberg. Now, two of the vulnerabilities they
 identified are not sort of these local server
 vulnerabilities, but they actually require changes like
 to settings.json and to open like a malicious readme
 .markdown file. But in my opinion, like the most
 important ones here are those loopback web servers we have.
 Many issues with that concept in the past where support
 tools and the like did not properly protect those APIs,
 and ended up vulnerable as a result. And if you're using
 Grandstream GXP 1600 voice over IP phones, well, you
 probably should get them updated quickly. Rapid7 has
 released details regarding a just patched vulnerability in
 these phones that is relatively easy to exploit.
 It's a stack-based buffer overflow and of course there's
 lots and lots of prior work how to exploit these type of
 overflows. Rapid7 had no problem coming up with a
 fairly simple exploit for it. It does not require any
 authentication and does allow full root access to the
 affected phone. So definitely something you do want to take
 care of. Remember these phones are essentially Linux device
 or Unix devices so once one of these phones is compromised it
 could easily be used then to leverage it to attack other
 systems on your network. Well and that's it for today.
 Thanks for liking. Thanks for subscribing to this podcast
 and talk to you again on Monday. Bye.