Handler on Duty: Rob VandenBrink
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, May 5th, 2026: Honeypot Update; MOVEit Patches; Apache http2 Vuln;
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9918.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
DShield Honeypot Update
https://isc.sans.edu/diary/DShield%20Honeypot%20Update/32948
MOVEit Automation Critical Security Alert Bulletin – April 2026 – (CVE-2026-4670, CVE-2026-5174)
https://community.progress.com/s/article/MOVEit-Automation-Critical-Security-Alert-Bulletin-April-2026-CVE-2026-4670-CVE-2026-5174
Apache httpd http2 vulnerability
https://seclists.org/oss-sec/2026/q2/387
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | San Diego | May 11th - May 16th 2026 |
| Network Monitoring and Threat Detection In-Depth | Online | Arabian Standard Time | Jun 27th - Jul 2nd 2026 |
| Network Monitoring and Threat Detection In-Depth | Riyadh | Jun 27th - Jul 2nd 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday, May 5th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Graduate Certificate Program in Penetration Testing and Ethical Hacking. Well, in Diaries today, I gave a little update on the DShield honeypot. I released today a version that will actually allow you to run it on the latest version of Ubuntu 26.04. There was only one minor adjustment I have to make and it only affected the minimum install of Ubuntu. So if you have one of the normal server installs, well, it should just work out of the box. Before you upgrade to Ubuntu 26.04, I realized that some of the base utilities of Linux, like Move, RM and the like, they were rewritten in Rust in that version. And apparently it had actually led to some other vulnerabilities, like some time of check, time of use vulnerabilities. So not necessarily recommending that you're upgrading to 26.04. And for now, we definitely will still support 24.04 in particular, since they are so similar. But if you have a new 26.04 system, well, the honeypot should just work nicely on it. Also making some adjustments to Cowrie. That'll take a little bit longer. There was one odd sort of encoding issue where some of the API keys weren't used correctly. So if you do observe that your SSH and Telnet reports are not being reported to us, well, let me know and I can walk you through how to fix it. But that'll probably come in the next couple of days as an official update to the honeypot, including sort of a little bit of revamp of Cowrie itself. Cowrie, if you're not familiar with it, that's the Python script we're using to simulate Telnet and SSH, create a little honeypot and definitely a very useful tool for us. And Progress, the maker of the file management software, MOVEit, has released their April update, fixing two different vulnerabilities. One is rated high, one is rated critical. Well, the end result is that you have authentication bypass issues. Through the service backend command port interfaces, I don't think they need to be exposed. So that's something to look at to further maybe protect those interfaces, those IP addresses from external access. But please refer to the details here from Progress on how to properly configure MOVEit. I'm not that familiar with this particular piece of software. Either way, no real sort of additional items here from Progress as to what else you could do but patch. So go ahead and patch. The reason I cover this software is that in the past it has been used to deploy ransomware. So it's certainly on the radar of the bad guys and they may already be working on an exploit. And then we have an update for the Apache HTTP server. However, this update isn't so far significant that it fixes, yes, a number of vulnerabilities, but one in particular could possibly lead to a remote code execution. It's part of the HTTP 2 module. So something that's often enabled. However, and that's a big sort of constraint here is only one specific version is affected, 2466. That's the version prior to today's version, version 2467. So only if you downloaded this very specific version, which you probably then downloaded from the Apache website itself and compiled from source, only then you're vulnerable. Most distributions fix themselves sort of on a particular version and then just sort of apply some bug fixes, security fixes, so they don't appear to be vulnerable. Of course, obviously a little bit hard to tell what's being backported, not double check that there are no Apache updates for your particular Linux distribution. But so far, I haven't really seen that affect any particular Linux distribution. Well, and that's it for today. So thanks for listening and specifically thanks for anybody who is like sending me information about what you would like to hear more about or less about for that matter. It's always a little bit hard to tell what actually is actionable for you in these podcasts. So any feedback to that effect is highly welcome and talk to you again tomorrow. Bye.
Follow the Internet Storm Center on Twitter
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 