Podcast Detail

SANS Stormcast Friday, February 13th, 2026: SSH Bot; OpenSSH MacOS Change; Abused Employee Monitoring

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9808.mp3

previous
Podcast Logo
SSH Bot; OpenSSH MacOS Change; Abused Employee Monitoring
00:00

Four Seconds to Botnet - Analyzing a Self-Propagating SSH Worm with Cryptographically Signed C2 [Guest Diary]
https://isc.sans.edu/diary/Four%20Seconds%20to%20Botnet%20-%20Analyzing%20a%20Self%20Propagating%20SSH%20Worm%20with%20Cryptographically%20Signed%20C2%20%5BGuest%20Diary%5D/32708

OpenSSH Update on MacOS
https://www.openssh.org/releasenotes.html

Employee Monitoring and SimpleHelp Software Abused in Ransomware Operations
https://www.huntress.com/blog/employee-monitoring-simplehelp-abused-in-ransomware-operations

Podcast Transcript

 Hello and welcome to the Friday, February 13th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And today's episode is brought to
 you by the SANS.edu Graduate Certificate Program in
 Cybersecurity Engineering. In diaries today we have a diary
 by one of our undergraduate interns, Jonathan Husk, and he
 wrote about, well, a good old SSH worm. At least that's
 sort of what it looks like. But there are a couple of
 interesting things here. One is the use of IRC as a command
 control channel. Haven't seen this in a while, but I just
 last week sort of saw some news articles about some bots
 using it. So maybe that's an up-and-coming thing again, but
 maybe it really never went quite away. Anyway, it used to
 be the most common thing and, well, you know, maybe we
 should switch our Slack server back to IRC. I would be a big
 fan of that given some of the issues we had with Slack in
 the past. Another interesting issue here is one of the
 passwords that this particular bot attempts is
 raspberry993311. And apparently it's only trying
 two different passwords. One is just raspberry and that
 makes sense. That used to be a common default password for
 Raspberry Pis. But this 993311 password, apparently there are
 a couple of other bots using that, at least attempt to use
 it, but can't really find any record or so that this is for
 some reason a common default password. If anybody has any
 ideas here, please let me know. And then a quick
 postscript to yesterday's updates from Apple. Today I
 noticed connecting to older Linux systems, in particular
 Ubuntu 20.04, that I received a warning message that the
 server I'm connecting to does not support any quantum
 resistant or post quantum algorithms. Well, apparently
 that was a change was added in OpenSSH 10.1. This update by
 Apple for Mac OS moved from OpenSSH 10.0 to OpenSSH 10.2. So
 with that, this new warning came. It doesn't actually stop
 the connection or anything. So you don't have to acknowledge
 it. It's just being printed to the screen that the server
 you're connecting to does not support any quantum safe
 algorithms. And it also gives you a link to a website,
 explains a little bit more, and I guess is supposed to
 entice you to upgrade that particular server. And
 Huntress Labs came across an interesting, well, living off
 the land kind of variation. And this particular variation
 did take advantage of NetMonitor. NetMonitor is
 software that companies install on employee systems in
 order to monitor mostly productivity. But like many of
 these remote monitoring tools, of course, it comes with the
 ability to also execute code on any monitored systems. This
 is often necessary just for simple software updates and
 the like. But also, for example, to further
 investigate certain behavior and such. Many tools do offer
 this kind of functionality. If an attacker gets a hold of it,
 well, they probably won't even say thank you that you
 instrumented your network for them. You have seen this with
 other security tools in the past. I think Wazuh was, for
 example, abused that way. And yeah, other sort of pretty
 much any kind of remote management tool. Actually, I
 haven't seen something with Ansible. Maybe that's an idea
 in case any hackers are listening. If you sort of
 compromise a company's Ansible server. Great way to then, you
 know, push out malware and such to systems that are
 controlled by this particular server. So whenever you're
 building this kind of remote control infrastructure, make
 sure you're adding the necessary monitoring to really
 know what exactly is happening with that infrastructure. And
 of course, you're securing it correctly with the necessary
 passwords and access restrictions to any control
 plane within that infrastructure. And then we
 got an update from Palo Alto for PanOS. This fixes an
 interesting vulnerability. I don't think it's as severe as
 some of these vulnerabilities in firewalls we talked about
 in the past. But the reason I'm including it is because it
 does allow sort of a persistent denial of service.
 So in this case, if you have the advanced DNS protection
 feature enabled, an attacker would be able to trigger a
 restart of the firewall. Now that itself, of course,
 wouldn't be persistent. But if the restart is triggered a
 couple of times in a row, then the firewall enters its
 maintenance mode, which of course means, well, it will no
 longer reboot and will no longer route any packets. So
 definitely try to apply this. There's no exploit available
 for this at this point. But I doubt it will be terribly
 difficult to come up with an exploit once people reverse
 the patch. Well, that's it for today. Thanks for listening.
 Thanks for subscribing. Special thanks for Nick for
 the shout out today and talk to you again on Monday. Bye.
 Ch waist. We'll keep moving. Theyl net version of the
 screen. In Daniel Pink.