Summary4 min read

SANS Stormcast – March 20, 2026: Cowrie Strings, Microsoft Intune Hardening, UniFi Network Update

Episode Overview

In this Friday episode, host Johannes B. Ullrich delivers a concise summary of the day's most relevant cybersecurity events. Key topics include:

Insights from honeypot activity tied to recent global events, particularly Iran
Actionable lessons from the Stryker breach, with a focus on securing Microsoft Intune and mobile device management
Critical vulnerabilities patched in Ubiquiti’s UniFi network application

The discussion centers on practical defense insights and fast-breaking incidents, with a direct and educational tone aimed at infosec professionals.

Key Discussion Points and Insights

1. Honeypot Strings & Global Events

Observation: Guy, a contributor, noticed unusual command-line strings in his Cowrie honeypot related to events in Iran.
- Attackers added identifiable strings such as:
  "magic payload killer here or leave empty" and "Iranbot was here".
- Such messages are often used:
  - To confirm commands are properly processed (not sophisticated)
  - For attacker notoriety or marking presence
  - Sometimes to detect honeypots and analyze shell responses
Context: These markings do not necessarily indicate nation-state activity; attackers frequently reference country names for various routine reasons.
- Quote (Johannes, 01:09):
  “But yes, not everything is sort of nation states if it does mention a nation as part of a string in a payload like this.”

2. Stryker Breach & Microsoft Intune Hardening

Context: Noteworthy recent breach of medical supply company Stryker, attributed to attack groups linked to Iran.
- Johannes typically avoids coverage of breaches unless there is a lesson or actionable advice.
Attack Details:
- The attacker leveraged Microsoft Intune—a mobile device management (MDM) platform—to remotely wipe up to 200,000 devices.
- Intune’s features include:
  - Device inventory management
  - Remote wipe capability (prime target for attackers)
- Catastrophic impact: Loss of device access across the organization
Prevention Strategies:
1. Phishing-resistant authentication—Crucial for protecting admin credentials.
  - Quote (Johannes, 03:08):
    “So some phishing resistant authentication should happen here.”
2. Granular admin control—Avoid giving all administrators full wipe privileges.
3. Multi-admin approval—For sensitive operations (like mass wipes), require approval from at least two administrators.
  - This reduces risk from compromised accounts and adds a layer of defense.
  - Quote (Johannes, 03:35):
    “They have an interesting feature called multi-admin approval. Therefore, sensitive changes like wiping devices, you need actually two administrators to come together and approve the event.”
Generalization:
- These principles apply broadly to any MDM or critical admin platform, not just Intune.
  - Ensure proper configuration and restrict admin interfaces’ access.
Assessment of Threat Landscape:
- The breach, while serious, appears to be “much less than some people were afraid of” in terms of broad-based, Iran-originated cyberattacks at this time.
  (Johannes, 04:22)

3. Ubiquiti UniFi Network Application Update

Critical Patch Released:
- Two vulnerabilities addressed:
  1. Path traversal (CVSS 10.0):
    - No authentication required.
    - Allows attacker to read arbitrary files and potentially compromise systems.
  2. NoSQL injection:
    - Requires authentication.
    - Still poses significant risk if admin accounts are compromised.
Mitigation Recommendations:
- Patch the UniFi Network Application immediately on all relevant hardware (gateways, cloud keys, etc.).
- Limit exposure: Admin interfaces should never be exposed to public networks.
  - Restrict access to internal networks/authorized subnets only.
  - Quote (Johannes, 05:03):
    “Don’t expose these kind of more admin interfaces to the public and make sure they’re only accessible from the internal network, preferably from specific admin workstations or subnets.”

Memorable Quotes & Moments

On Iran-tied payloads:

“Not everything is sort of nation states if it does mention a nation as part of a string…”
— Johannes B. Ullrich, 01:09
On multi-admin approval for Intune:

“You need actually two administrators to come together and approve the event … also basically just prevents, for example, a compromised workstation … to be then abused to delete all your devices.”
— Johannes B. Ullrich, 03:35–03:49
On patching UniFi devices:

“Don’t expose these kind of more admin interfaces to the public and make sure they’re only accessible from the internal network, preferably from specific admin workstations or subnets.”
— Johannes B. Ullrich, 05:03

Timestamps for Important Segments

00:16 – Iran-themed honeypot payloads & attacker motivations
01:40 – Stryker breach discussed; Microsoft Intune threat surface explained
02:52 – Actionable advice for securing MDM/Intune environments
04:30 – Broader perspective on Iran-linked cyber activity
04:39 – UniFi Network Application vulnerabilities and urgent patch advice

Final Thoughts

Johannes wraps up with a congratulatory note to SANS EDU graduates and reiterates his thanks to listeners. No hype, just crisp insights—practical, relevant, and actionable for InfoSec teams confronting rapidly evolving threats.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Friday, March 20, 2026 edition of the SANS and the Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS EDU Credit Certificate Program in Cyber Defense operations. One of the questions we often get is whether or not any like global events are affecting what we are seeing in our logs now. We have in the past often seen like disasters and such, for example being used in scams. Guy had an interesting sort of event in his Kauri honeypot that's a little bit related with what's happening now in Iran. Essentially a message that the attacker added to the command line here that was executed in the honey pot pod that just stays magic payload killer here or leave empty. And then Iranbot was here. This is often kind of just used as a little indicator whether or not the commands are actually properly processed. Sometimes strings like this are being also used to identify honeypots to see what is then actually being returned by the particular shell that they attempt to log into. In this case, it wasn't anything remotely sophisticated just yet. Sort of another SSH brute forcing attack. And sometimes attackers are really also just using these strings for notoriety to maybe be recognized or such. But yes, not everything is sort of nation states if it does mention a nation as part of a string in a payload like this. Talking about Iran, there was one significant breach that was caused by threat actors associated with Iran and that was against the medical supply company Stryker. Now I typically don't talk about breaches much unless there is sort of a lesson to be learned or something actionable coming out of it. And that's what we have now. Microsoft as well as CISA released guidelines how to better secure your Microsoft Intune account. Microsoft Intune is a mobile device management console and you can use it to basically figure out what is installed on mobile devices in your organization. But it also has the remote wipe capability in case for example of a physical loss of a device. And that's what the attacker abused here. The attacker apparently did wipe something like 200,000 I think was the number I've seen devices associated with Stryker, which of course is a catastrophic event for the company. Well, there are a couple things that you can do in order to prevent this from happening to yourself. First of all, I think one of the biggest things here is just to make sure there is no phishing happening. So some phishing resistant authentication should happen here. Design your admin controls well, so not every admin needs to be able to delete all 200,000 devices. And then they have an interesting feature called multi admin approval. Therefore, sensitive changes like wiping devices, you need actually two administrators to come together and approve the event. And that's certainly something that also adds some additional phishing resistance, but also basically just prevents sort of, for example, a compromised workstation or something like this to be then abused to delete all of your devices. So if you're using any system like this, and I think this does not just apply to Microsoft Intune, but other mobile device management systems, definitely take a look and make sure that you have these things properly configured. As far as Iran goes, if this is really the only thing that's happening, it's probably much less than some people were afraid of when it comes to various cyber attacks. And then we got an update from Ubiquiti for its UNIFI network application. This update fixes two different vulnerabilities. The first one has a perfect 10 as far as the CVSS score goes. It's a path traversal vulnerability that does not require any authentication and could essentially allow an attacker to read arbitrary files, which then may lead to actually compromising the system further. The second Vulnerability is a NoSQL injection vulnerability, but it does require authentication. Updates are available for the UNIFI network application. You typically run it on your UNIFI gateway, sometimes on distinct cloud keys or other devices like that. And then, of course, the usual advice, don't expose these kind of more admin interfaces to the public and make sure they're only accessible from the internal network, preferably from specific admin workstations or subnets. Well, that's it for today. And just a quick note, this Saturday I'll be happy to participate in the SANS EDU commencement. So ahead of it, congratulations to all of our graduates this year. And that's it for today. Thanks for listening, thanks for liking, thanks for commenting and talk to you again on Monday. Bye.