Podcast Detail

SANS Stormcast Thursday, April 23rd, 2026: Stealing Telegram Sessions; Oracle CPU; Firefox Patches

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9904.mp3

previous
Podcast Logo
Stealing Telegram Sessions; Oracle CPU; Firefox Patches
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS
Application Security: Securing Web Apps, APIs, and MicroservicesSan DiegoMay 11th - May 16th 2026
Network Monitoring and Threat Detection In-DepthOnline | Arabian Standard TimeJun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-DepthRiyadhJun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesWashingtonJul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and MicroservicesOnline | British Summer TimeJul 27th - Aug 1st 2026
Application Security: Securing Web Apps, APIs, and MicroservicesLas VegasSep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Thursday, April 23rd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Amsterdam, Netherlands. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. Today we got
 another diary by one of our undergrad at SANS.edu interns.
 L Carty writes about how their honeypot got
 compromised. Initially it looked like, well, your run-of
 -the-mill compromise. It did sort of check for crypto
 miners, tried to kill them, which is very typical for sort
 of these mining scripts that take over Linux systems with
 weak passwords. But then things kind of changed. The
 script then went and looked for the tdata file in the
 desktop telegram folder. This is a typical location on a
 Linux system where telegram, the messenger, keeps their
 session data. So the content of the tdata file are
 essentially session IDs that are being used to authenticate
 the client to telegram's system. This session data
 could then easily be copied to another system and used to
 authenticate as the user. So it's essentially as valuable
 as the username and password for a particular account. Even
 worse, if the user had set up to factor authentication,
 doesn't actually matter if the attacker gets a hold of this
 session data. Telegram remains to be a highly valued platform
 by criminals in part because of its easy automation and of
 course of its worldwide infrastructure that is
 relatively easy to use and widely used, which of course
 makes it more difficult for organizations to block access
 to telegram. Still something that you probably should
 monitor and definitely look for access to the tdata file
 if you have some endpoint protection that can monitor
 this. For telegram users also it's important to keep an eye
 out for any odd sessions that you see established to
 telegram. Telegram in its security settings allows you
 to monitor which sessions are currently authenticated. So
 you could look for some devices that you don't
 recognize and then of course log out of systems if you no
 longer use telegram on a particular system in order to
 invalidate the session data should it get stolen later.
 And then we got some breaking news from the Socket research
 team about yet another security scanner being
 compromised. This time it's Checkmarx' turn. The
 Checkmarx KICS scanner was compromised, at least the
 Docker images that were offered as official Checkmarx
 docker images in Docker Hub. In addition to that,
 apparently also some Visual Studio Code extensions
 published by Checkmarx were compromised as well. At this
 point it's still a kind of under development here really
 what exactly happened. The first draft or the first
 version of the Socket blog post was just published about
 two hours ago as I'm recording this and they state that they
 will make updates to this blog post as more details become
 apparent. But it looks like we are having here some of the
 typical credentials dealer that we have seen in prior
 attacks like this. So definitely something to be
 very careful about. If you're using Checkmarx KICS and you
 did download images from Docker Hub today, you
 definitely want to double check and make sure that you
 didn't download any of the compromised images. Same is
 also true of course for any Visual Studio Code extensions.
 So this particular attack, there's no statement from
 Checkmarx that I have seen yet, but again, we're fairly
 early on here. They're probably, hopefully, I would
 say, still working to figuring out exactly what happened
 before they make any statements here. At this point
 also the malicious Docker images were rolled back. So
 currently they're not available anymore on Docker
 Hub. But then again, not really clear yet how long
 these images were available. So double check if you're
 using any of Checkmarx code. And like we had with the
 previous scanner event and such, this is likely going to
 then lead to additional compromises down the road. And
 Oracle today published its quarterly patch update. This
 particular update fixes 481 different vulnerabilities,
 which isn't that unusually high of a number for Oracle.
 Remember this again, across these dozens and dozens of
 applications that Oracle distributes. Nothing has sort
 of stood out in this particular update. There are a
 number of vulnerabilities that do allow unauthenticated
 remote exploitation, not necessarily code execution,
 but many of these vulnerabilities are labeled
 with CVS scores in the 9.9. range. Didn't see a perfect 10
 when I skimped the list. But as usual with Oracle, for all
 the details, you must log in to an Oracle customer account
 anyway, to really figure out what these vulnerabilities are
 all about. And then of course, figure out what of these
 applications actually apply to you. One of the critical
 vulnerabilities also affects MySQL, which of course is part
 of Oracle's portfolio. But well, you may be running it
 without actually being sort of an official Oracle customer.
 And talking about patching a lot of vulnerabilities,
 Mozilla released Firefox 150. And this version addresses 271
 vulnerabilities. Typically, well, a new release like
 Firefox usually fixes around a dozen or less vulnerabilities.
 This increase in vulnerabilities being
 addressed in this particular release is linked to Mozilla
 using the Anthropic Mythos model in order to scan Firefox
 for vulnerabilities. So they're seeing this as a big
 win and I think they have a good point here. The title of
 the blog where they're introducing and talking about
 this is called The Zero Days Are Numbered just because they
 feel that this gives them a significant head start over
 attackers looking for vulnerabilities as well. We'll
 see where this all ends up. I guess in a couple months,
 we'll see how many more vulnerabilities will be found
 after these 271 vulnerabilities have been
 fixed. Hopefully, well, we'll see a significant decline in
 number of vulnerabilities being found and exploited. As
 usual, keep your browsers up to date. Restart them once a
 day in order to make sure that the latest updates are applied
 at least once a week. Double check whether or not you are
 actually running the latest version of your favorite
 browser. Well, and this is it for today. So thanks for
 liking. Thanks for subscribing. And as always, if
 you have any feedback, if you think I should have covered a
 story that I missed or should have spent less time on a
 particular story, please let me know. Thanks and talk to
 you again tomorrow. Bye.