Podcast Detail

SANS Stormcast Monday, January 5th, 2026: MongoBleed/React2Shell Recap; Crypto Scams; DNS Stats; Old Fortinet Vulns

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9752.mp3

MongoBleed/React2Shell Recap; Crypto Scams; DNS Stats; Old Fortinet Vulns

00:00

My Next Class

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026

… more classes

Cryptocurrency Scam Emails and Web Pages As We Enter 2026
Scam emails are directing victims to confidence scams attempting to steal cryptocurrencies.
https://isc.sans.edu/diary/Cryptocurrency%20Scam%20Emails%20and%20Web%20Pages%20As%20We%20Enter%202026/32594

Debugging DNS response times with tshark
tshark is a powerful tool to debug DNS timing issues.
https://isc.sans.edu/diary/Debugging+DNS+response+times+with+tshark/32592/

Old Fortinet Devices Have not been updated
Over 10,000 Fortinet devices are still vulnerable to a five year old vulnerability
https://www.bleepingcomputer.com/news/security/over-10-000-fortinet-firewalls-exposed-to-ongoing-2fa-bypass-attacks/

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

Application Security: Securing Web Apps, APIs, and Microservices	Orlando	Mar 29th - Apr 3rd 2026
Network Monitoring and Threat Detection In-Depth	Amsterdam	Apr 20th - Apr 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	San Diego	May 11th - May 16th 2026
Network Monitoring and Threat Detection In-Depth	Online \| Arabian Standard Time	Jun 20th - Jun 25th 2026
Network Monitoring and Threat Detection In-Depth	Riyadh	Jun 20th - Jun 25th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Washington	Jul 13th - Jul 18th 2026
Application Security: Securing Web Apps, APIs, and Microservices	Las Vegas	Sep 21st - Sep 26th 2026

Podcast Transcript

 Hello and welcome to the Monday, January 5th, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Cyber
 Defense Operations. Well, first podcast of the new year,
 so I want to do a quick recap here. First of all, React2Shell
 still hitting the news every so often here and there.
 Mostly various botnets and such adding it to their
 arsenal, so nothing really too terribly exciting. Secondly,
 MongoBlead. I did a special podcast last week just to sort
 of keep everybody in the loop on this one. Haven't seen a
 ton of news about this, but definitely, you know, number
 one, if you're running MongoDB, make sure that you're
 patched. Secondly, you probably want to make sure
 that MongoDB is not directly exposed to the internet. And
 well, in diaries, we had one this weekend from Brad, who
 wrote about a recent cryptocurrency scam that Brad
 observed. This one is your classic advance fee type scam.
 The attacker is sending spam messages claiming that the
 recipient has some pending cryptocurrency deposit waiting
 for them. The way this is sort of made plausible is that they
 say that the victim signed up for some kind of
 cryptocurrency mining and, well, their cryptocurrency
 that they mined is now basically ready to be
 withdrawn. They're promising quite a substantial amount,
 sort of in the order of one plus Bitcoins. So like a
 hundred thousand dollars are being offered here. And then
 of course, the classic advanced fee scam kicks in
 where the victim is then being asked to deposit for some kind
 of withdrawal fee that of course is then lost. So very
 classic scam here. And of course, playing, of course,
 also on the greed of the victim here that the victim,
 even though they probably know that they don't have anything
 waiting like this, are still attempting to withdraw the
 money because, well, after all. And then I did a quick
 diary a couple days ago about debugging DNS with a tshark.
 tshark, of course, there's an amazing tool. It's of the
 command line equivalent of Wireshark or Wireshark without
 the GUI. The feature I used here is, well, first of all,
 tshark's ability to create some basic DNS statistics, but
 then also for tshark to calculate the response time.
 So for each response you get, well, how long did it take
 since the request to actually detect this response? And with
 that, you can easily create statistics about, you know,
 which of your DNS servers is lagging. And what I found sort
 of interesting here is I use four different sort of public
 recursive resolvers to forward my queries to, and they
 performed pretty much exactly identical. I'm using Comcast.
 Here's my ISP. One of the DNS servers was Comcast DNS
 server, but you have the Quad 1, 8, 9 DNS servers here as
 well. I assume they all have co-located anycast instances
 with Comcast, which sort of leads to some of this effect,
 but it doesn't look like any one of them, at least from my
 perspective, has any performance difference here.
 Another thing that sort of helped me here, and actually
 that's where I did fix at least part of the problem I
 had with DNS performance in my environment was it gives you a
 breakdown by DNS query types. And I had an NTP server that
 is part of the NTP pool, and it did reverse lookups for any
 connection coming into it, which of course reverse
 lookups, these pointer records tend to be slower, tend to
 often fail in timeout. And yes, they exceeded like all
 the other DNS record types that I had in my network. So
 just turning that off in the NTP server actually made a
 little bit of a difference here. So don't forget about T
 -Shark. Great tool to do sort of some network analysis like
 this. Not always for security, but also sometimes just for
 performance. Of course, a lot of this, like what record
 types are being used and such, is quite an interesting and
 important security tool as well. And in this podcast,
 I've often talked about vulnerabilities in security
 systems, firewalls, VPN endpoints, and the like. And
 well, one of the names that often comes up is 40Net. Well,
 Shadow Server now looked at an older vulnerability in 40Net's
 firewalls, CVE-2020, 12,812. This vulnerability is five
 years old. And well, still there are a lot of unpatched
 devices out there. About 10 ,000 according to Shadow
 Server's census of these devices. I think that's a
 great reminder that it's not just about no vulnerabilities
 that vendors often leave in these devices, but also about
 users really have to get a little bit better at patching
 and keeping up to date with their devices. And, you know,
 the thing I have recommended before is sort of a calendar
 reminder to once a month, just check for firmware updates for
 your particular secure devices, particularly in sort
 of a home, small business network setup. I think that's
 useful where you often just have the one sort of gateway
 that you have to keep up to date and also attach a sticker
 to the device with an end of life date, if you know what
 that date will be. So, you know, well, by that date, I
 probably should have replaced this particular device because
 no more updates will be coming. And same when you're
 buying a new device, don't try to buy a new device without
 the vendor telling you for how long they're going to deliver
 security updates for this particular device. Well,
 that's it for today. A little bit of slower start to the new
 year. Nothing really all that breaking and great and
 catastrophic. Luckily, well, Mongo Pleat, I guess, is of a
 little exception here that kept a lot of people certainly
 busy. So, keep that in mind. And with that, thanks for
 listening and talk to you again tomorrow, going back to
 our normal schedule starting this week.
 Thank you.