Podcast Detail

SANS Stormcast Friday, May 29th, 2026: @sans_edu research; Honeypot Log; VPN “Toad”; Silent Ransom Group

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9950.mp3

previous
Podcast Logo
@sans_edu research; Honeypot Log; VPN “Toad”; Silent Ransom Group
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Friday, May 29th, 2026 edition
 of the SANS International Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in
 cybersecurity engineering. At the beginning of each podcast,
 I always highlight one of the programs of our college, SANS
 .edu. Today, we also released another volume of our research
 review journal. This journal collects some of the best
 papers that students have written over the last year. So
 certainly something worthwhile browsing through, in
 particular, if you're interested, maybe in the
 program itself to see what our master's degree students are
 coming up with. And Guy today took a quick snapshot of his
 honeypot and looked at, well, what kind of activity there
 was this last year. And no surprise, there was plenty of
 activity. It sort of started for Guy in October, really for
 real, and part of course on some maintenance here on the
 honeypot. Guy is maintaining a little seam that actually can
 be installed on top of our honeypot, then can be used to
 create these kind of summaries. What kind of
 surprised me here in the summaries is that when we're
 looking at the file uploads that happen via Kauri. So
 these are people connecting via SSH or Telnet. Well,
 there's actually a non -negligible number of
 PowerShell scripts that were uploaded to these Linux,
 essentially honeybots. Not sure if this was just sort of,
 you know, by mistake, or if they're counting on Windows
 systems running SSH or maybe, well, a lot of the more modern
 Linux distributions also at least come optionally with
 PowerShell as well. So maybe they count on that. Not sure
 if the particular PowerShell scripts uploaded to these
 systems would work on default PowerShell installs on Linux.
 And then we got an interesting backdoor in a popular VPN
 extension for Google Chrome and Edge. This particular VPN,
 the urban VPN, as it's called according to the blog post, is
 the most popular VPN in Chrome's web store. A few
 million downloads are certainly not really
 unpopular. But what happened here was that first of all,
 the opt-out for data collection was implemented
 badly. So just inverse, if you opted out, you actually opted
 in and vice versa. The second part is actually a little bit
 verse. Like the first I can sort of see that happened by
 mistake. The second one actually is that this
 extension implemented a listener. And that's sort of
 how JavaScript can basically then send messages to the
 extension. This is a legitimate mechanism, but in
 this particular case, it allowed basically any a
 website to control the VPN and even silently drop it if a
 particular keyword code was sent to the VPN connection. So
 very easy to basically just turn off the VPN. Also, this
 VPN was dropping the connection silently. So there
 was really no obvious indication for the user that
 they were no longer protected. Be careful what VPNs you run.
 It's not the first time that we have sort of VPNs with
 backdoors or other sort of odd functionality. In particular,
 of course, if they are free. And the FBI this week
 published an interesting, a little bit odd flash alert,
 where they're stating that a group that they're identifying
 as the silent ransom group is actually sending people to the
 victim's location. So the way this usually works is
 basically starts out as of a tech support scam where
 they're attempting to gain remote access to systems. But
 if that fails, they may actually send someone to the
 victim's location to insert USB sticks and to gain access
 to the victim's system. Apparently law firms are sort
 of one of the top targets here for this kind of attack. What
 surprises me is that, of course, the big protection
 that cyber criminals usually have is the remoteness. So for
 them to actually send someone to a location is fairly
 brazen. And I guess the resultant must be worth the
 risk. And if anybody here is still working with Windows
 Server 2016, there's an interesting issue that came up
 with the most recent security update in that the Windows
 will no longer be able to discover hostname if it's 15
 characters long. 15 characters, so I guess just
 one byte less from a power of two. So that may be a little
 bit the reason here. But yes, if you're seeing like the
 error invalid parameter here for DC locator calls, then you
 may be affected by this. Check the Microsoft update page.
 I'll link to it in the show notes. At this point, there is
 no sort of fix for it. I guess there's a workaround in just
 renaming your systems to something not 15 character
 long. Well, and that's it for today. Thanks for listening.
 Thanks for liking. Thanks for recommending and thanks for
 commenting and talk to you again on Monday. Bye.