SANS Stormcast Thursday, April 9th, 2026: Honeypot Fingerprinting; Microsoft Locks Developer Accounts; ActiveMQ Vuln; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary5 min read

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Episode: Thursday, April 9th, 2026
Host: Johannes B. Ullrich
Theme: Honeypot Fingerprinting, Microsoft Developer Account Suspensions, ActiveMQ Vulnerability

Episode Overview

In this episode, Johannes B. Ullrich delivers a concise but content-rich update on key network security events. He explains how attackers are fingerprinting honeypots, discusses the recent suspension of reputable open-source developers’ accounts by Microsoft, and highlights the discovery and implications of a remote code execution vulnerability in Apache ActiveMQ, unearthed with the help of AI tools. The discussion is practical, informed, and peppered with actionable advice for listeners tracking current cyber threats.

Key Discussion Points

1. Honeypot Fingerprinting

[00:27 – 03:05]

Medium Interaction Honeypots:
The podcast opens with a discussion about attackers trying to fingerprint honeypots such as the commonly used Python web application emulators and Kauri for Telnet/SSH emulation. These honeypots are not perfect imitations, making them susceptible to detection by sophisticated adversaries.
- "Those kind of honeypots are often considered medium interaction honeypots, meaning that they try to emulate particular vulnerable or non vulnerable devices, but are of course far from perfect and that makes it relatively straightforward to fingerprint them and making sure that a particular device is a honeypot." (Johannes, 00:40)
Fingerprinting Tactics:
Attackers use deliberately invalid or peculiar username and password combinations (e.g., “admin” with a password “definitely not valid grets” or usernames like “honeypotten,” “Honeypotter”). If such odd combinations grant access, attackers know they are connected to a honeypot.
- "If they're able to actually log in with a username like Honeypotter, well they assume then that they are connected to a honeypot, which is a fairly fair assumption." (Johannes, 01:34)
Defensive Measures & Priorities:
The SANS team is aware and considering tweaks to block obviously honeypot-related usernames, but acknowledges the limitations:
- "It's always possible to fingerprint these honeypots and we are not really sort of after zero days or targeted attacks, but really more after attacks that are just scanning the Internet." (Johannes, 02:29)

2. Microsoft Locks Developer Accounts

[03:06 – 05:20]

Accounts Affected:
Developer accounts for WireGuard, VeraCrypt, and Windscribe—well-respected VPN and disk encryption tools—were suddenly suspended by Microsoft, preventing updates.
- "WireGuard and Windscribe are both VPN applications. VeraCrypt, a disk encryption application. All of these are well respected projects that have been going on for quite a few years..." (Johannes, 03:33)
Possible Causes and Implications:
This action may be tied to new Microsoft security policies effective next Patch Tuesday, especially concerning driver and bootloader signing—critical for bootloaders like VeraCrypt’s.
- "Starting next Tuesday Microsoft is actually changing some policies around signing drivers and also bootloaders which affects in particular code like Veracrypt." (Johannes, 04:08)
- "...if you're using their product to encrypt the entire disk, so you need to use the Veracrypt bootloader well then your system will stop booting in June when actually this will go in full effect and with their account suspended they will not be able to actually push any updates for you." (Johannes, 04:34)
Scope & Uncertainty:
No official Microsoft statement yet. The issue appears to be global and concerns the developer accounts themselves rather than just country-specific app store removals, as has happened in the past with privacy software.
- "...this appears to be global and affect the developers accounts themselves. At this point I haven't seen any official statement from Microsoft and hope they're bringing some light behind what's actually happening here and why these accounts were suspended." (Johannes, 05:00)
Advice for Users:
Windows users should be attentive, especially those relying on VeraCrypt for full-disk encryption. Non-Windows OS versions remain unaffected for now.
- "Any other versions like Linux, macOS are not affected at this time. This is just Microsoft and with that Windows problem." (Johannes, 05:12)

3. Apache ActiveMQ Vulnerability & AI in Security Research

[05:21 – 06:50]

AI-Assisted Vulnerability Discovery:
Horizon 33 researchers demonstrated the use of Claude (an AI tool) to uncover a remote code execution (RCE) vulnerability in Apache ActiveMQ.
- "We got now a nice Write up by Horizon 33 showing how they used CLAUDE in order to find a remote code execution vulnerability in Apache ActiveMQ." (Johannes, 05:25)
ActiveMQ Vulnerability Details:
ActiveMQ is widely used; the highlighted RCE bug requires authentication in recent versions, but older releases from around 2024 could be vulnerable without authentication via the Jolokia API.
- "If you run a relatively recent version of Activemq, there have been some older versions...that exposed the Jolokia API which is causing the vulnerability here to be exposed without authentication. So for these old versions it's an unauthenticated remote code execution vulnerability. So get it patched..." (Johannes, 05:53)
Takeaway for Security Professionals:
Encourages staying updated and reading the writeup for insights into how AI tools can help discover vulnerabilities.

Notable Quotes & Memorable Moments

On Honeypot Limitations:
"It's always possible to fingerprint these honeypots and we are not really sort of after the zero days or the targeted attacks, but really more after attacks that are just scanning the Internet."
— Johannes, 02:29
On Microsoft Account Suspensions:
"This appears to be global and affect the developers accounts themselves. At this point I haven't seen any official statement from Microsoft and hope they're bringing some light behind what's actually happening here and why these accounts were suspended."
— Johannes, 05:00
AI and Vulnerability Discovery:
"If you are sort of into bug hunting and such, definitely good write up in how they use the CLAUDE here to actually figure out how this particular vulnerability works."
— Johannes, 06:22

Timestamps for Important Segments

Honeypot fingerprinting discussion: 00:27–03:05
Microsoft developer account suspensions: 03:06–05:20
ActiveMQ/AI vulnerability writeup: 05:21–06:50

Summary Takeaways

This episode alerts defenders to honeypot fingerprinting trends, highlights the real-world impacts of changing security policies on open-source projects, and underlines the growing utility of AI in vulnerability discovery. Johannes provides timely, actionable information while inviting listeners to remain vigilant—particularly those who rely on privacy tools or manage widely deployed enterprise software.

For further discussion or to submit questions, listeners are encouraged to use the contact form at https://isc.sans.edu/contact.html.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Thursday, April 9, 2026 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And just as a reminder that there will be no Friday podcast due to my travel schedule and this episode is brought to you by the Sans Edu Strategy Certificate program in Industrial Control System Security. Well, in diaries today I wrote a little bit about how attackers are attempting to fingerprint honeypots. In particular the honeypots we are using like the little Python script we use to emulate web applications and Kauri of course that is being used to emulate Telnet and ssh. Well those kind of honeypots are often considered medium interaction honeypots, meaning that they try to emulate particular vulnerable or non vulnerable devices, but are of course far from perfect and that makes it relatively straightforward to fingerprint them and making sure that a particular device is a honeypot. Now one trick that this particular attacker researchers, whoever it was, did employ was to use username password combinations that would definitely not show up in a normal system. So for example, well, the username was admin and the password definitely not valid grets or usernames like honeypotten, Honeypotter. The idea behind this is that for example Kauri that we're using to emulate telnet and ssh, well it will sort of randomly accept username and password combinations. So it will not just accept very specific ones, but ever so often it will let basic attacker in no matter what username and password they're using to see what commands they may be executing. And that's what they're looking for. If they're able to actually log in with a username like Honeypotter, well they assume then that they are connected to a honeypot, which is a fairly fair assumption. Are we working on making it a little bit harder to fingerprint honeypots? Yes, we always sort of log into this and may actually be adding some features to sort of, you know, not allow logins from specific usernames or passwords. But not really a high priority because like I said it's always possible to fingerprint these honeypots and we are not really sort of after the zero days or the targeted attacks, but really more after attacks that are just scanning the Internet. And some concerns were raised today by three different security related Microsoft developers accounts being suspended. What we had here was Wireguard, VeraCrypt, Windscribe, these are the three accounts that are apparently affected. There may be others, but these are the ones where I sort of found Notice about and pretty much the same happened to all three where they're no longer able to publish updates to their respective applications. Now WireGuard and Windscribe are both VPN applications. Veracrypt, a disk encryption application. All of these are well respected projects that have been going on for quite a few years, so it's not really clear what's happening here. But of course these particular projects are sort of privacy related and as a result there's of course always some concern that various regulation and such in countries that do no longer allow VPNs or end to end encryption may be targeting projects like this. The most likely reason that I found for this particular issue is that starting in April, when we are in April and we have patch Tuesday, next Tuesday. So starting next Tuesday Microsoft is actually changing some policies around signing drivers and also bootloaders which affects in particular code like Veracrypt. If you are using basically a fully encrypted disk with Veracrypt, then you need a special Veracrypt bootloader to decrypt the disk as you are booting the system. Well so far there were some cosigned dual signed solutions that were offered. They're going away in April now. I have no idea why they would lock the accounts in response to this. These projects definitely have to basically struggle with how they're going to respond to these changes in policy. In particular, Veracrypt pointed out that if you're using their product to encrypt the entire disk, so you need to use the Veracrypt bootloader well then your system will stop booting in June when actually this will go in full effect and with their account suspended they will not be able to actually push any updates for you. So this at this point just affects Windows. Of course we had in the past often that the particular VPN software was often removed from country specific application stores that affected pretty much all of the big sort of app stores like Apple, Android and Microsoft. But this appears to be global and affect the developers accounts themselves. At this point I haven't seen any official statement from Microsoft and hope they're bringing some light behind what's actually happening here and why these accounts were suspended. If you're using NFTS products they should be working. But be aware of that Veracrypt caveat here. And yeah, keep watching it for any updates. Any other versions Like Linux, macOS are not affected at this time. This is just Microsoft and with that Windows problem, well I mentioned already this week a couple times the use of AI in order to find vulnerabilities. We got now a nice Write up by Horizon 33 showing how they used CLAUDE in order to find a remote code execution vulnerability in Apache ActiveMQ. Now first of all, Apache ActiveMQ is quite popular, so if you're running it, definitely make sure that you're up to date that you have this issue fixed. It is a remote code execution vulnerability but requires authentication. If you run a relatively recent version of Active nq, there have been some older versions and we're talking like 2024. That's when at least the CVE came out for it that exposed the Jolokia API which is causing the vulnerability here to be exposed without authentication. So for these old versions it's an unauthenticated remote code execution vulnerability. So get it patched and if you are sort of into bug hunting and such, definitely good write up in how they use the CLAUDE here to actually figure out how this particular vulnerability works well and that's it for today. So thanks for listening, thanks for liking, thanks for subscribing and talk to you again on Monday. Bye.