Summary3 min read

SANS Stormcast – March 9th, 2026

Host: Johannes B. Ullrich
Theme: Daily cybersecurity headlines – YARA-X debug update, rise in IP camera attacks, Node.js upgrade program, and critical nginx UI vulnerabilities.

Episode Overview

Johannes Ullrich provides a concise roundup of key current cybersecurity developments, focusing on software updates, vulnerabilities in popular platforms, and persistent security risks in commonly deployed technologies. The episode is geared toward both awareness and actionable insight for practitioners.

Key Discussion Points

1. YARA-X Update Adds Dependency Debugging [00:28]

Update Description:
YARA-X (a malware detection tool) introduces a deps command for developers and analysts.
- This command helps visualize how YARA rules are interconnected, supporting debugging efforts.
Practical Benefit:
"It illustrates in a quick graph dependencies how different rules depend on each other. So yeah, for debugging that's probably quite useful."
— Johannes B. Ullrich [00:38]

2. Surge in Attacks Targeting IP Cameras [01:00]

Reported Trend:
Check Point has observed an uptick in cyberattacks against IP cameras, particularly focusing on Israeli networks. This relates to increased exploitation in the context of regional conflicts.
Historical Context:
Ullrich notes that attacks on exposed cameras are not new:
- IP cameras have been prime targets for years (e.g., Hikvision cameras along the Panama Canal were discussed as early as 2014).
- They have often been involved in conflicts, notably Ukraine and now in more recent geopolitical events.
Skepticism About 'Increase':
"Not sure how you detect an increase in attacks against IP cameras because they're all the way at the top when it comes to attacked systems on the Internet, period."
— Johannes B. Ullrich [01:23]
Takeaway & Advice:
- News coverage might help raise awareness and motivate better security practices—ideally, these cameras should not be internet-exposed, and "maybe many of them should better be trashed."
  — [02:06]

3. Node.js Upgrade Modernization Initiative [02:17]

The Problem:
A vast majority (70–80%) of Node.js installations are out of date.
Community Effort:
OpenJS Foundation, partnering with NodeSource, launches the Upgrade Modernization Program:
- Offers guides and hands-on assistance for upgrading codebases from end-of-life Node.js versions.
- Focuses on long-term support (LTS) releases for production use.
Caveat:
The upgrade process remains manual and lacks a "simple script" or "easy button"—organizations will need to invest effort.
Guidance:
"You should always be running the LTS... in particular in production systems... those are also then the versions that will be supported by this program."
— Johannes B. Ullrich [02:54]

4. Two Critical Vulnerabilities in Nginx UI [03:24]

Vulnerability 1:
The API endpoint for backups does not require authentication.
- Risk is somewhat mitigated if encrypted backups are enforced.
Vulnerability 2:
The encryption key and IV (initialization vector) are included in a response header (X-backup-security), effectively negating encryption benefits and exposing sensitive data to attackers.
Remediation Advice:
Immediate updates are urged. Administrators are also warned not to expose nginx UI to the public internet by default.
Memorable Reminder:
"Nginx UI is one of those things you probably don't really just want to expose to the open Internet."
— Johannes B. Ullrich [04:20]

Notable Quotes

On Obsolete Internet Devices:
"Maybe many of them should better be trashed."
— Johannes B. Ullrich [02:06]
On Upgrade Culture:
“Sadly, it doesn't look like there will be sort of an easy button or a simple script to update it, but it will still be a more involved and manual process...”
— Johannes B. Ullrich [03:13]

Timeline of Key Segments

| Timestamp | Topic | |-----------|---------------------------------------------------| | 00:28 | YARA-X deps debug command update | | 01:00 | IP camera attack increase, context and advice | | 02:17 | Node.js LTS program and community upgrade effort | | 03:24 | Nginx UI vulnerabilities and urgent patching | | 04:20 | Internet exposure warnings (Nginx UI) |

Tone & Style

Johannes maintains a practical, mildly skeptical, and pragmatic tone—reminiscent of technical briefings among peers. He balances actionable advice with historical awareness and a wry commentary on persistent internet security lapses.

Summary Takeaways

YARA-X users have new debugging features for rule relationships.
IP cameras remain top targets; avoid exposing them online.
Node.js maintainers are urged to modernize and stay on LTS—with new community backing (but expect manual effort).
Admins of nginx UI must patch immediately; security posture should assume UI components are not safe for public exposure.

Listeners can find further resources and submit questions via the SANS Internet Stormcenter website.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Monday, March 9, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida and this episode is brought to you by the SANS Edu Graduate Certificate Program in Purple Team Operations. In diaries this weekend we only got one very quick one and that's an update in Yarax. This update adds a deps command for dependencies and it's meant sort of for debugging, where you have a rule file and you run it through a command. It illustrates in a quick graph dependencies how different rules depend on each other. So yeah, for debugging that's probably quite useful. And check point is reporting that they're seeing an increase in attacks against IP cameras. Now, checkpoint being Israeli company, they're of course focused somewhat on the Israeli IP address space and IP cameras traffic. Modern cameras and such have been in the news in the recent conflict. Well, on the other hand, it's also really nothing new. I'm not sure how you detect an increase in attacks against IP cameras because they're all the way at the top when it comes to attacked systems on the Internet, period. Also, they have been used in conflicts prior to today than for example in Ukraine there were many stories about how IP cameras, security cameras and such were being used in this conflict. And well, back in I think it was 2014 and such we wrote about Hikvision cameras being attacked and many of them for example being located along the Panama Canal. So not really sure how new this is. But on the other hand, news like this of course may finally get people to realize that these cameras should really not be exposed to the Internet and well, maybe many of them should better be trashed. Now I'm talking about things that are either difficult to upgrade or often, well, aren't being upgraded. One of these things is Node JS and I've seen numbers with like 70, 80% or so of Node JS updates installs being out of date. And in order to fix that, the OpenJS foundation now has initiated a program that they're calling their upgrade modernization program. They're working together here with nodesource that will provide various guides and such and also assistance in moving code bases from end of life Node JS versions. Now you should always be running the lts, the long term support version of Node JS in particular in production systems. That sort of at least reduces the upgrade interval somewhat and those are also then the versions that will be supported by this program. So if you're running lts, they'll provide you essentially with assistance with upgrade guides and such. Sadly, it doesn't look like there will be sort of an easy button or a simple script to update it, but it will still be a more involved and manual process that Node Source will perform here. Well then we have two critical vulnerabilities in nginx ui. Nginx, of course, is a popular web server. Nginx UI is an optional component and it provides you with a user interface to manage your NGINX installs. One of the features being offered by nginx UI is the ability to back up your server. Well, that's vulnerability number one, that the API endpoint that controls these backups does not use any authentication. Now this may not be that terrible bad because you're able to encrypt these backups. That's where vulnerability number two comes in, that the encryption key and the IV is being returned as part of an X backup security header. So with that of course it then becomes trivial for an attacker to decrypt the backup as well. Definitely get this updated. And as I say so often, nginx UI is one of those things you probably don't really just want to expose to the open Internet. Well, and this is it for today, so thanks again for listening. Thanks for liking this podcast. Thanks for any comments, either publicly or just send me a private comment. Always welcome. And don't forget, I'll be teaching in Orlando and in Amsterdam in a so if you haven't looked at it yet, if you haven't signed up yet, take a look at the classes in Orlando. You'll even get a free on demand with your class. That's it and talk to you again tomorrow. Bye.