Summary4 min read

SANS Stormcast Podcast Summary

Episode: Thursday, April 23, 2026 – “Stealing Telegram Sessions; Oracle CPU; Firefox Patches”
Host: Johannes B. Ullrich
Duration: ~5 minutes
Location: Recorded from Amsterdam, Netherlands

Episode Overview

This edition of Stormcast provides a succinct review of key cybersecurity threats and updates relevant to practitioners. Topics include a new technique for stealing Telegram session data from compromised systems, a major compromise of Checkmarx security tools, Oracle's quarterly patch release, and a groundbreaking use of AI for vulnerability scanning in the latest Firefox update.

Key Discussion Points

1. Stealing Telegram Session Data via Honeypot Compromise

[00:27 – 02:12]

Honeypot Incident:
SANS Edu intern Alcardy shared findings on a compromised honeypot with typical “run of the mill” signs—crypto miner checks and removal attempts.
New Tactic:
The attacker diverged from merely deploying miners. Instead, they searched for the TDATA file in the desktop Telegram folder—a file that contains session IDs used by Telegram for authentication.
Implications:
- Session Hijacking:
  Access to this session data is as valuable as stealing a username and password; it even bypasses Telegram’s two-factor authentication if session data is stolen.
  - Quote: “Session data could then easily be copied to another system and used to authenticate as the user.” (Johannes, 01:08)
- Telegram’s Criminal Appeal:
  Telegram remains a favored platform for criminals due to automation, global infrastructure, and difficulty in blocking.
- Defensive Advice:
  Monitor access to the TDATA file and unusual Telegram sessions. Telegram's security settings let users view and revoke authenticated devices.

2. Checkmarx Kicks Security Scanner Compromise

[02:13 – 03:17]

Breaking News:
The Socket research team reported a compromise affecting the Checkmarx Kicks Scanner, including official Docker images (via Docker Hub) and certain VS Code extensions.
Nature of Attack:
Typical credential stealer pattern as observed in similar prior software supply chain attacks (e.g., Privy Scanner).
- Quote: “It looks like we are having here sort of the typical credential stealer that we have seen in prior attacks like this...” (Johannes, 02:55)
Status & Recommendations:
- The malicious Docker images have now been rolled back, but the duration of their availability is unclear.
- Users who pulled images or extensions recently are urged to double-check for compromise.
- No official Checkmarx statement yet—full details still emerging.

3. Oracle Quarterly Patch Update

[03:18 – 04:00]

Overview:
Oracle released its quarterly Critical Patch Update (CPU), fixing 481 vulnerabilities across its diverse software portfolio.
Severity:
While not unusually high for Oracle, numerous vulnerabilities enable unauthenticated remote exploitation, several with CVSS scores above 9.0.
- Quote: “There are a number of vulnerabilities that do allow unauthenticated remote exploitation... many of these vulnerabilities are labeled with CVSS scores in the 9 dot range.” (Johannes, 03:36)
Notable Mentions:
- Critical issues include MySQL (part of Oracle's portfolio), which may affect users without direct ties to Oracle.
Advice:
Full vulnerability details require Oracle customer login. Users should determine which products are affected and patch promptly.

4. Firefox 150 – AI-Driven Vulnerability Discovery

[04:01 – 04:54]

Unprecedented Patch Volume:
Firefox 150 addresses an extraordinary 271 vulnerabilities (compared to the usual dozen or fewer per release).
Why the Spike?
Mozilla leveraged the Anthropic Mythos model (an AI vulnerability scanner) to automate security checks and uncover more flaws.
- Quote: “This increase in vulnerabilities being addressed... is linked to Mozilla using the Anthropic Mythos model in order to scan Firefox for vulnerabilities.” (Johannes, 04:26)
Outlook:
Mozilla claims “Zero Days Are Numbered,” projecting a significant defensive leap.
- “I think they have a good point here... this gives them a significant head start over attackers.” (Johannes, 04:38)
- Future patch cycles will reveal if this approach leads to sustained reduction in vulnerability discovery.
Advice:
Always keep browsers up-to-date; restart daily or at least weekly to ensure new updates apply.

Notable Quotes & Memorable Moments

“Session data could then easily be copied to another system and used to authenticate as the user.” (01:08)
“...it looks like we are having here sort of the typical credential stealer that we have seen in prior attacks like this...” (02:55)
“There are a number of vulnerabilities that do allow unauthenticated remote exploitation... many of these vulnerabilities are labeled with CVSS scores in the 9 dot range.” (03:36)
“This increase in vulnerabilities being addressed... is linked to Mozilla using the Anthropic Mythos model in order to scan Firefox for vulnerabilities.” (04:26)
“...this gives them a significant head start over attackers.” (04:38)

Summary Table of Key Segments

| Segment | Timestamp | Summary | |-------------------------------------------|-------------|----------------------------------------------------------------------| | Telegram Session Data Stealing | 00:27–02:12 | Attackers now seeking Telegram TDATA files post-compromise | | Checkmarx Kicks Scanner Compromise | 02:13–03:17 | Official Docker images and VS Code extensions compromised | | Oracle CPU – 481 Vulnerabilities Fixed | 03:18–04:00 | Large quarterly patch; critical issues found, MySQL included | | Firefox 150 & AI Vulnerability Scanning | 04:01–04:54 | Patch covers 271 bugs thanks to AI-driven scanning initiative |

Listener Takeaways

Telegram users on Linux: Ensure endpoint monitoring for TDATA file access; review authenticated sessions regularly.
Checkmarx/Product users: Double-check for compromised Docker images/extensions if used or downloaded recently.
Oracle software admins: Patch affected Oracle applications promptly and review detailed vulnerability disclosures.
Browser users: Update Firefox to v150 and make regular browser restarts part of your security routine.

For feedback or to suggest future topics, visit: https://isc.sans.edu/contact.html

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, April 23, 2026 edition of the sans United Stormcenters Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands and this episode is brought to you by the Sans Edu Graduate Certificate program in penetration testing and ethical hacking. Today we got another diary by one of our undercratted Sans Edu interns. Alcardy writes about how their honeypot got compromised. Initially it looked like, well, your run of the mill compromise. It did sort of check for crypto miners, tried to kill them, which is very typical for some of these mining scripts that take over Linux systems with weak passwords. But then things kind of changed. The script then went and looked for the TDATA file in the desktop Telegram folder. This is a typical location on a Linux system where Telegram the Messenger keeps their session data. So the content of the TDATA file are essentially session IDs that are being used to authenticate the client to Telegram's system. This session data could then easily be copied to another system and used to authenticate as the user. So it's essentially potentially as valuable as the username and password for a particular account. Even worse if the user had set up two factor authentication doesn't actually matter if the attacker gets a hold of this session data. Telegram remains to be a highly valued platform by criminals, in part because of its easy automation and of course of its worldwide infrastructure that is relatively easy to use and widely used, which of course makes it more difficult for organizations to block access to Telegram. Still something that you probably should monitor and definitely look for access to the TDATA file if you have some endpoint protection that can monitor this for Telegram users. Also, it's important to keep an eye out for any odd sessions that you see established to Telegram. Telegram in its security settings allows you to monitor which sessions are currently authenticated. So you could look or some devices that you don't recognize and then of course log out of systems if you no longer use Telegram on a particular system in order to invalidate the session data should it get stolen later. And then we got some breaking news from the Socket research team about yet another security scanner being compromised. This time it's Checkmarks turn the checkmarks Kicks Scanner was compromised. At least the Docker images that were offered as official checkmarks Docker images in Docker Hub. In addition to that, apparently also some Visual Studio code extensions published by Checkmarks were compromised as well. At this point it's still kind of under development here really. What exactly happened? The first draft or the first version of the Socket blog post was just published about two hours ago as I'm recording this and they state that they will make updates to this blog post as more details become apparent. But it looks like we are having here sort of the typical credentials dealer that we have seen in prior attacks like this, so definitely something to be very careful about. If you're using Checkmark Kicks and you did download images from Docker Hub today, you definitely want to double check and make sure that you didn't download any of the compromised images. Same is also true of course for any Visual Studio code extensions. So this particular attack there's no statement from Checkmarks that I have seen yet, but again we're fairly early on here. They're probably hopefully, I would say still working to figuring out exactly what happened before they make any statements here at this point. Also, the malicious Docker images were rolled back, so currently they're not available anymore on Docker Hub. But then again not really clear yet how long these images were available. So double check if you're using any of Checkmark's code and like we had with the Privy Scanner event and such, this is likely going to then lead to additional compromises down the road. And Oracle today published its quarterly patch update. This particular update fixes 481 different vulnerabilities, which isn't that unusually high of a number for Oracle. Remember this again, across these dozens and dozens of applications that Oracle distributes, nothing that sort of stood out in this particular update. There are a number of vulnerabilities that do allow unauthenticated remote exploitation. Not necessarily code execution, but many of these vulnerabilities are labeled with CV test scores in the 9 dot range. Didn't see a perfect 10 when I skimped the list, but as usual with Oracle for all the details, you must log in to an Oracle customer account anyway to really figure out what these warnabees are all about. And then of course figure out what of these applications actually apply to you. One of the critical warnabies also affects MySQL which of course is part of Oracle's portfolio. But, well, you may be running it without actually being sort of an official Oracle customer and talking about patching a lot of vulnerabilities. Mozilla released Firefox 150 and this version addresses 271 vulnerabilities typically. Well, a new release like Firefox usually fixes around a dozen or less vulnerabilities. This increase in vulnerabilities being addressed in this particular release is is linked to MOZILLA using the anthropic Mythos model in order to scan Firefox for vulnerabilities. They're seeing this as a big win, and I think they have a good point here. The title of the blog where they're introducing and talking about this is called the Zero Days Are Numbered. Just because they feel that this gives them a significant head start over attackers looking for vulnerabilities as well. We'll see where this all ends up, but I guess in a couple of months we'll see how many more vulnerabilities will be found after these 271 vulnerabilities have been fixed. Hopefully. Well, we'll see a significant decline in number of vulnerabilities being found and exploited. As usual, keep your browsers up to date. Restart them once a day in order to make sure that the latest updates are applied at least once a week. Double check whether or not you are actually running the latest version of your favorite browser. Well, and this is it for today. So thanks for liking, thanks for subscribing, and as always, if you have any feedback, if you think I should have covered a story that I missed or should have spent less time on a particular story, please let me know. Thanks and talk to you again tomorrow. Bye.