Podcast Detail

SANS Stormcast Monday, March 23rd, 2026: GSocket Backdoor in Bash; Oracle Security Alert; Rockwell Attacks

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9860.mp3

previous
Podcast Logo
GSocket Backdoor in Bash; Oracle Security Alert; Rockwell Attacks
00:00

GSocket Backdoor Delivered Through Bash Script
https://isc.sans.edu/diary/GSocket+Backdoor+Delivered+Through+Bash+Script/32816/#comments

Oracle Security Alert CVE-2026-21992 Released
https://blogs.oracle.com/security/alert-cve-2026-21992

Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1771.html

Podcast Transcript

 Hello and welcome to the Monday, March 23rd, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. This episode is brought to you by
 the SANS.edu Graduate Certificate Program in
 Penetration Testing and Ethical Hacking. In Diaries
 today, we have an interesting malware analysis, by Xavier.
 Xavier looked at a bash script actually, that took advantage
 of the G-Socket backdoor. G-Socket, short for Global
 Socket, is software and infrastructure that can be
 used to connect two systems behind NAT to each other. So
 it's a little bit like STUN and such, where both systems
 establish an outbound connection. And then the
 toolkit, well, comes with like netcat, ssh and other ways how
 these systems can then communicate. So an interesting
 little tool, of course, well, no good deed goes unpunished.
 So this free tool is also being abused, in this
 particular case, to allow access to the infected
 machine. There's also some interesting sort of time
 stomping going on here. So time stomping refers to that
 the attacker is changing the last access, last changed
 dates of a particular file. So for example, as so often, the
 authorized keys file is updated. And well, this is
 then just overwritten basically, in the sense that
 the timestamp doesn't change. So a cursory investigation of
 the system will not really register any different
 timestamp than before, which may lead an analyst to then
 ignore this particular file and figure out that the
 attacker didn't touch it. Now, an interesting correction here
 by one of our readers, Mittelwert here, did add a
 comment stating that, yes, there was a little mistake
 here in Xavier's diary. In order to obtain persistence,
 the script adds itself as a ground job. And it sort of
 starts with a pkill 0. Well, signal 0 actually doesn't kill
 the process. It just essentially checks if it's
 killable. And with that, if it's still running. That way,
 the attacker doesn't actually kill and restart the process,
 but just checks, is the process still running? And if
 so, it will be just keep it running. If not, then it will
 restart it. Anyway, nice little thing in particular
 with the timestamping, that's something you usually don't
 see in sort of simple bash scripts like this. And yes, G
 -Socket is certainly something you want to keep an eye on in
 your environment. And on Friday of all days, Oracle
 came out with a critical security alert. This alert
 warns of a new vulnerability in Oracle Identity Manager and
 Oracle Web Services Manager. It does state that
 exploitation will lead to remote code execution. And it
 does also say that, well, there is additional security
 alert guidance if you are an Oracle customer. So definitely
 refer to it. It does not state that this is already being
 exploited. And I did a quick search to see if there's sort
 of any exploit publicly available. Didn't see
 anything. The only thing I saw was someone offering an
 exploit for sale for something like $2,500 online. But
 there's no indication that this exploit actually works.
 And it's quite likely that this is just some little scam
 someone is trying to pull sort of around this particular
 vulnerability. So double check with Oracle if you're affected
 by this particular vulnerability. Highly unusual
 for Oracle to release special updates like this. And
 Rockwell Automations did publish an important notice,
 as they call it. And this is actually not about a new
 vulnerability or anything sort of new and different. But what
 they're saying is that they have seen reports of their
 devices being actively targeted. And they basically
 just want you to double check that these devices are not
 connected to the Internet. Now, we're often talking here
 about these OT, this operational technology type
 devices. So SCADA and the like that are affected here. So
 just, well, good measure has been best practice for a long
 time that you should not expose this device to the
 Internet. And they're just giving you some additional
 ways to harden these devices as well. So no new
 vulnerability. But again, there is apparently an
 increase or some new attacks being used against these
 devices. Well, and that's it for today. And again,
 congratulations to all of the SANS.edu graduates who
 participated in our commencement this weekend. And
 thanks to anybody who likes or recommends or, well, just
 leaves a good comment about this podcast. And talk to you
 again tomorrow. Bye. Bye.
 Bye. Bye. Bye.