Handler on Duty: Johannes Ullrich
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, July 7th, 2026: RCS and DNS; OpenSSH Update; Beyond Trust Advisory; PolinRider Update
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9996.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
RCS and DNS: The NAPTR Record
https://isc.sans.edu/diary/RCS%20and%20DNS%3A%20The%20NAPTR%20Record/33124
OpenSSH 10.4 released
https://seclists.org/oss-sec/2026/q3/62
Beyond Trust Advisory CVE-2026-40138 CVE-2026-40139
https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
PolinRider: North Korea-Linked Supply Chain Campaign
https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday July 7th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. This episode is brought to you by the SANS.edu Graduate Certificate Program in Cybersecurity Engineering. Today I wrote a quick diary about, well, less well-known DNS records. I noticed recently in my home network that there were a couple of lookups for NAPTR records. And while this was a record I wasn't really familiar with, it has been around, it has been defined for a while since around 2000. That's when the RFC was released and the record itself looked, well, interesting and somewhat dangerous in that it allows you to rewrite results using regular expressions. And we all know regular expressions, lots of sort of implementation issues around that. Well, it turns out it wasn't an attack, it was normal traffic. Apparently it's used as part of the rich communication services that's the underlying protocol that's being used for RCS. So RCS has been introduced in recent years and particularly the last couple of years been deployed more and more with iOS and Google and Android replacing SMS more and more with RCS. So RCS is essentially a more modern version of SMS. It gets rid of some of sort of the old really sort of voice network based craft that sort of stuck around with SMS and makes it more a standard internet protocol for IP using SIP as one of its sort of transport mechanisms here for the messages. The NAPTR records are here used without actually taking advantage of the regular expressions. They're really just used to communicate essentially where to connect to. I've seen them for Verizon and AT&T in my network, but of course know what exact records you'll see will depend on your telecommunication provider that you are using. I also got a comment to this on LinkedIn and the user here commented that there is apparently an international e-invoicing protocol that does take advantage of NAPTR records. Wasn't familiar with that protocol and not sure how widely it is being used, but appears to be an international standard. So maybe more visible sort of in some multinational companies or so that may be taking advantage of that protocol. As always, watch your DNS traffic. Watch out for these odd records and try to understand what's going on. And again, it's often not malicious. It's just a new technology that has been deployed in the network, and it's often good to know about these new technologies. And we have a new version of OpenSSH 10.4. It fixes a number of security issues. None of them I would call sort of urgent or critical. There are a couple of interesting ones with SFTP where a client could be tricked into writing files into the wrong directory. So that may be worth paying some attention to. But there are also some new features, for example, some post-quantum signature algorithms that are now supported. With OpenSSH, what you'll usually find is that you won't see OpenSSH version 10.4 in current distributions for a while. But many of the security features are sometimes backported to older versions. So definitely watch out for new updates, even if they're not called OpenSSH 10.4. And BeyondTrust has released an advisory identifying four different recently patched vulnerabilities. Two of these vulnerabilities do allow authentication bypass, which, well, for an authentication product like BeyondTrust, of course, is critical. They don't specify which exact configurations are vulnerable. But as part of the advisory, they state that only specific configurations are vulnerable. Of course, that's not very helpful. And you better apply the patch if you self-host BeyondTrust. Interestingly, you need to apply the April rollup here. So it appears that the April rollup did patch some so far undisclosed vulnerabilities. And Socket .dev has a good blog post with updates regarding some of the recent supply chain attacks. In particular, what they're focusing on is a North Korean threat actor that often deploys harmless-looking patches and pull requests to legitimate GitHub repos and then does trick developers to actually use these particular repos as part of fake job interviews. Now, what I found particularly interesting here is that they're going through some steps to make it more difficult to detect the malicious modifications. They do, for example, alter the Git history in that way. It's more difficult to identify like, you know, what particular changes were made recently to a particular GitHub repository. And that, of course, makes it more difficult to identify the altered JavaScript files. Now, they historically have mostly been using NPM and Node.js, but lately have also been branching out to Go and to Google Chrome extensions. That would be, as always, careful with this. And I think the main takeaway here is that you can't just sort of, you know, rely on a quick eyeballing of the Git history in order to identify some of these malicious changes. Well, thanks for listening. Thanks for liking. Thanks for subscribing. And as always, if you like this particular podcast, please recommend it to others and talk to you again tomorrow. Bye.





