SANS Stormcast Wednesday, April 8th, 2026: Pivoting for Webshells; WatchGuard Firebox Patch; Project Glasswing; Kubernetes Misconfigurations

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9884.mp3

previous

Pivoting for Webshells; WatchGuard Firebox Patch; Project Glasswing; Kubernetes Misconfigurations

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Wednesday, April 8th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Now, today I did, as the title of today's
 diary states, a little bit of pivoting, looking for web
 shells. I noticed four distinct IP addresses, all
 associated, interestingly, with Microsoft's cloud
 services that scanned our sensors for a specific web
 shell, turkshell.php. Nothing that sort of fancy or special
 about this particular web shell, but web shells are sort
 of the backdoor, the type of sort of persistent mechanisms
 being deployed against vulnerable web applications,
 either with remote code execution or with an arbitrary
 file upload vulnerability. And then they're not just used by
 the original attacker, but they're also parasitic
 attackers. And that's apparently what we have here
 that are looking for pre -installed web shells and are
 trying to exploit them because attackers often don't pick
 strong passwords either. And that's what I then looked in
 further, looked at those four IP addresses and what other
 URLs they were scanning. And turned out, well, it was over
 200 different URLs they looked for, all of them apparently
 associated with web shells. There were a couple in there
 where I think they looked for vulnerabilities or really just
 did some fingerprinting on the site to see maybe what
 particular web shell may be present. One of the things
 here, one of the themes in the file names was also that many
 of them tried to sort of fit in with WordPress websites.
 And well, that's no surprise with all the WordPress
 vulnerabilities around these days. And of course, that
 being sort of a favorite attacker target. Lessons
 learned here. Don't look for just specific web shell names.
 This particular attacker looked for, I think, 280 or so
 different file names. There are probably many, many more
 out there. So you're never going to capture them all or
 even close to all. Instead, do some more generic monitoring.
 Look for new files on file systems and such. That's
 probably more fruitful than just looking for the list of
 file names that I posted here as part of this diary. And
 talking about arbitrary file rights being used to deploy
 web shells, WatchGuard actually did release an
 advisory stating that they have, well, just this type of
 vulnerability in their Firebox appliances. Now, this doesn't
 make it that severe because in this particular instance, you
 have to be authenticated in order to exploit this
 particular vulnerability. But they also state it can be used
 for arbitrary file execution. So yes, files are being
 written into locations that can then be executed. So
 definitely something that you want to patch. And well, as
 you patch it, double check that there are no new files on
 the system. And I think it was just yesterday that I talked
 about some of the progress being made in finding software
 vulnerabilities using AI models. Today, Anthropic did
 release a new project, Project Glasswing. And what it does is
 apparently the latest and greatest model released by
 Anthropic Mythos 2. Well, it is actually able to find
 vulnerabilities at the scale that far surpasses what prior
 models did in order to responsibly use this model.
 What Anthropic did here is essentially get sort of
 something like 30 different companies together that are
 specifically creating critical software, giving them sort of
 first access to this new model to hopefully outpace some of
 the attackers using similar models to then find the same
 vulnerabilities. And maybe a year from now, we don't have
 to talk each week about vulnerabilities in software
 like we just had with Firebox or other security products.
 Now, one of the companies that's participating in
 Project Glasswing is Palo Alto and their Project 42 or Unit
 42 did publish today an interesting summary of attacks
 against Kubernetes that they're seeing. I guess the
 good news is that it wasn't just a passwordless exposed
 API that was exploited, but instead the attacker had to go
 through the trouble of actually spear phishing a
 developer to steal credentials. After that, it
 became relatively straightforward. The attacker
 was able to connect to the Kubernetes entry point, deploy
 their own malicious pot, and then from there on go along
 and steal various credentials. We are the CID-CD pipelines
 that were exposed to this particular pot that the
 attacker exploited. Pretty interesting attack and it
 really sort of outlines a couple of fundamental
 configuration issues that are often found in Kubernetes. So
 if you are deploying Kubernetes, then please make
 sure to take a look at this post by Unit 42 because it
 really makes some good points here and outline some of the
 real attacks that have been seen by Palo Alto and Unit 42
 against these kind of setups. Well, and that's it for today.
 Thanks for liking. Thanks for subscribing. Thanks for
 recommending this podcast. Remember, no podcast on
 Friday. But until then, we'll talk to you again tomorrow.
 Bye. Bye. Bye.