SANS Stormcast Monday, March 9th, 2026: YARA-X Update; IP Camera Targeting; Node.js Upgrades; nginx UI Vuln

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9840.mp3

previous

YARA-X Update; IP Camera Targeting; Node.js Upgrades; nginx UI Vuln

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Login here to join the discussion.

Podcast Transcript

 Hello and welcome to the Monday, March 9th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu graduate certificate program in Purple
 Team Operations. In Diaries this weekend we only got one
 very quick one, and that's an update in Yara X. This update
 adds a "deps" command for dependencies and it's meant
 for debugging where you have a rule file and you run it
 through a command. It illustrates in a quick graph
 dependencies how different rules depend on each other. So
 yeah for debugging that's probably quite useful. And
 Checkpoint is reporting that they are seeing an increase in
 attacks against IP cameras. Now Checkpoint being Israeli
 company, they are of course focused somewhat on the
 Israeli IP address space and IP cameras, traffic, modern
 cameras and such have been in the news in the recent
 conflict. Well on the other hand it's also really nothing
 new. I'm not sure how you detect an increase in attacks
 against IP cameras because they're all the way at the top
 when it comes to attack systems on the internet
 period. Also they have been used in conflicts prior to
 today. Then you know for example in Ukraine there were
 many stories about how IP cameras, security cameras and
 such were being used in this conflict. And well back in I
 think it was 2014 and such we wrote like about HEC vision
 cameras being attacked and many of them for example being
 located along the Panama Canal. So not really sure how
 new this is. But on the other hand news like this of course
 may finally get people to realize that these cameras
 should really not be exposed to the internet and well maybe
 many of them should better be trashed. Now I'm talking about
 things that are either difficult to upgrade or often
 well aren't being upgraded. One of these things is Node.js
 and I've seen numbers where like 70-80 percent or so of
 Node.js installs being out of date and in order to fix that
 the OpenJS Foundation now has initiated a program that
 they're calling their upgrade modernization program. They're
 working together here with Node.js that will provide
 various guides and such and also assistance in moving code
 bases from end-of-life Node.js versions. Now you should
 always be running the LTS the long-term support version of
 Node.js in particular in production systems. That sort
 of at least reduces the upgrade interval somewhat and
 those are also then the versions that will be
 supported by this program. So if you're running LTS they'll
 provide you essentially with assistance with upgrade guides
 and such. Sadly it doesn't look like there will be sort
 of an easy button or a simple script to update it but it
 will still be a more involved and manual process that the
 Node.js will perform here. Well then we have two critical
 vulnerabilities in Nginx UI. Nginx of course is a popular
 web server. Nginx UI is an optional component and it
 provides you with a user interface to manage your Nginx
 installs. One of the features being offered by Nginx UI is
 the ability to backup your server. Well that's
 vulnerability number one that the API endpoint that controls
 these backups does not use any authentication. Now this may
 not be that terrible bad because you're able to encrypt
 these backups and that's where vulnerability number two comes
 in that the encryption key and the IV is being returned as
 part of an x backup security header. So with that of course
 it then becomes trivial for an attacker to decrypt the backup
 as well. Definitely get this updated and as I say so often
 Nginx UI it's one of those things you probably don't
 really just want to expose to the open internet. Well and
 this is it for today so thanks again for listening. Thanks
 for liking this podcast. Thanks for any comments either
 publicly or even just send me a private comment. Always
 welcome and don't forget I'll be teaching in Orlando and in
 Amsterdam in April. So if you haven't looked at it yet, if
 you haven't signed up yet, take a look at the classes in
 Orlando. You'll even get a free on demand with your
 class. That's it. Talk to you again tomorrow. Bye.