Podcast Detail

SANS Stormcast Friday, March 20th, 2026: Cowrie Strings; MSFT Intune Hardening; Unifi Network Update;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9858.mp3

previous
Podcast Logo
Cowrie Strings; MSFT Intune Hardening; Unifi Network Update;
00:00

Podcast Transcript

 Hello and welcome to the Friday, March 20th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. One of the questions we often get is
 whether or not any like global events are affecting what we
 are seeing in our logs. Now we have in the past often seen
 like disasters and such for example being used in scams.
 Guy had an interesting sort of event in his Cowrie honeypot
 that's a little bit related with what's happening now in
 Iran. Essentially a message that the attacker added to the
 command line here that was executed in the honeypot that
 just stays magic payload killer here or leave empty and
 then Iran bot was here. This is often kind of just used as
 a little indicator whether or not the commands are actually
 properly processed. Sometimes sort of strings like this are
 being also used to identify honeypots to see what is then
 actually being returned by the particular shell that they
 attempt to log into. In this case it wasn't anything
 remotely sophisticated just yet sort of another ssh brute
 forcing attack and sometimes attackers are really also just
 you know using these strings for notoriety to maybe be
 recognized or such. But yes not everything is sort of
 nation states if it does mention a nation as part of a
 string in a payload like this. Talking about Iran there was
 one significant breach that was caused by threat actors
 associated with Iran and that was against the medical supply
 company Stryker. Now I typically don't talk about
 breaches much unless there's sort of a lesson to be learned
 or something actionable coming out of it and that's what we
 have now Microsoft as well as CISA released guidelines how
 to better secure your Microsoft Intune account. So
 Microsoft Intune is a mobile device management console and
 you can use it to basically figure out you know what is
 installed on mobile devices in your organization but it also
 has the remote wipe capability in case for example of a
 physical loss of a device and that's what the attacker
 abused here. The attacker apparently did wipe something
 like 200,000 I think was the number I've seen devices
 associated with Stryker which of course is a catastrophic
 event for the company. Well there are a couple things that
 you can do in order to prevent this from happening to
 yourself. First of all I think one of the biggest things here
 is just to make sure there is no phishing happening so some
 phishing resistant authentication should happen
 here. Design your admin controls well so not every
 admin needs to be able to delete all 200,000 devices and
 then I have an interesting feature called multi-admin
 approval. Therefore, sensitive changes like wiping devices
 you need actually two administrators to come
 together and approve the event and that's certainly something
 you know that also adds some additional phishing resistance
 but also basically just prevents sort of for example a
 compromised workstation or something like this to be then
 abused to delete all of your devices. So if you're using
 any system like this and I think this does not just apply
 to Microsoft Intune but other mobile device management
 systems definitely take a look and make sure that you have
 these things properly configured. As far as Iran
 goes if this is really the only thing that's happening
 it's probably much less than some people were afraid of
 when it comes to various cyber attacks. And then we got an
 update from Ubiquiti for its unified network application.
 This update fixes two different vulnerabilities. The
 first one has a perfect 10 as far as the CVSS score goes.
 It's a path traversal vulnerability that does not
 require any authentication and could essentially allow an
 attacker to read arbitrary files which then may lead to
 actually compromising the system further. The second
 vulnerability is a no SQL injection vulnerability but it
 does require authentication. Updates are available for the
 unified network application. You typically run it on your
 unified gateway sometimes on distinct cloud keys or other
 devices like that. And then of course the usual advice don't
 expose these kind of admin interfaces to the public and
 make sure they're only accessible from the internal
 network preferably from specific admin workstations or
 subnets. Well that's it for today and just a quick note
 this Saturday I'll be happy to participate in the sans.edu
 commencement so ahead of it congratulations to all of our
 graduates this year. And that's it for today thanks for
 listening thanks for liking thanks for commenting and talk
 to you again on Monday bye.