Summary4 min read

SANS Stormcast Summary: March 31, 2026

Host: Johannes B. Ullrich
Episode Theme:
A concise briefing focused on recent developments in honeypot research, Let's Encrypt’s mass certificate revocation test, and an important F5 BIG-IP vulnerability reclassification.

Key Discussion Points & Insights

1. Honeypot Session Lifetimes & Attacker Behavior

Typical Session Duration
- Most honeypot sessions are extremely brief, often just a few seconds as attackers connect, perform simple commands (like uname), then disconnect.
  - “Most honeypot sessions do last a very short time, a couple seconds.” (01:05)
Longer Sessions & Repeated Commands
- Outlier sessions last several minutes, usually running the same command repeatedly to transfer binaries or data.
  - “Some sessions … do launch a large number of commands… just repeats of the same command and then just adding more data to a particular binary.” (01:30)
Revealing Last Commands
- Analyzing the final command executed often reveals if attackers detect they're in a honeypot or hints at their overall purpose.
- Some commands evoke distinct responses within honeypots, unintentionally tipping off attackers.
  - “[The] last command … sometimes gives away why they’re connected to a honeypot or that they’re connected to a honeypot.” (01:50)
  - Johannes notes they may need to “fix up some of the responses here to keep them longer entertained in our honeypots.” (02:20)

2. Let’s Encrypt Tests Mass Revocation Procedures

Purpose of the Test
- Let’s Encrypt conducted a test simulating mass revocation to align with baseline requirements that mandate certificate authorities maintain and test large-scale certificate revocation plans.
  - “Certificate authority baseline requirements … must have a plan in how to revoke large numbers of certificates, and then … must test it occasionally. This test is what Let’s Encrypt did now.” (02:35)
ARI Feature
- The test centered on the ACME Renewal Information (ARI) feature, which allows automated tools to efficiently check if a certificate must be renewed in light of a revocation.
  - “If you’re running your script … will also check in with the server authority … whether or not the certificate must be renewed ahead of time.” (03:20)
Scope and Impact
- Only the staging environment was used; production certificates were unaffected.
- No widespread issues observed—most ACME clients don’t yet support ARI, so many users likely remained unaware.
  - “[They] avoided any impact on actual customers … vast majority of ACME clients out there right now will not support the ARI feature, so probably that went unnoticed.” (03:50)

3. F5 BIG-IP CVE-2025-53521: Denial of Service to RCE

Vulnerability Update
- F5 initially published in October what was believed to be a denial of service issue affecting BIG-IP APM components.
  - “Back in October F5 released an advisory about a BIG-IP APM vulnerability … stated that this is a denial of service issue.” (04:15)
Escalation to Remote Code Execution (RCE)
- Recent advisory update reclassifies the issue as an actively exploited remote code execution vulnerability, increasing its urgency and CVSS score.
  - “They just re-released the respective advisory … that this vulnerability is now being exploited … a remote code execution vulnerability after all.” (04:30)
  - “You may have assigned a lower priority because of the categorization as a denial of service. It is now an already exploited remote code execution vulnerability.” (04:55)
Action Items
- Listeners are urged to double-check patch status, especially if initial urgency was low due to the original classification.

Notable Quotes & Memorable Moments

On attacker behavior in honeypots:
- “Most honeypot sessions do last a very short time, a couple seconds. That's no surprise because you have a lot of attackers that will basically just connect, do a quick uname or a quick check like that, and then disconnect again.” (01:05)
On honeypot detection by attackers:
- “What I find actually most interesting... is what's the last command that an attacker executes in the honeypot? Because that command sometimes gives away why they're connected... or that they're connected to a honeypot.” (01:50)
On Let's Encrypt’s responsible testing:
- “They took advantage of a new feature in their ACME … the ARI feature ... they used the Let's Encrypt staging environment ... to avoid any impact on actual customers.” (03:25)
On F5 BIG-IP urgency:
- “It is now an already exploited remote code execution vulnerability.” (04:55)

Timestamps for Important Segments

00:04-01:50 — Honeypot session duration and attacker behavior
01:50-02:20 — Attackers' last commands and potential honeypot detection
02:20-03:50 — Let’s Encrypt mass revocation testing and the ARI feature
03:50-04:55 — F5 BIG-IP vulnerability update: From denial of service to RCE, action steps

Tone & Style

Direct, analytical, clue-driven
Educational, with a focus on immediate security actions
Brief yet detailed; practical advice for defenders

Summary:
In this episode, Johannes B. Ullrich covers cutting-edge observations from honeypot monitoring, provides insight into how Let’s Encrypt responsibly tested its ability to handle mass certificate revocation, and urgently highlights the escalation of a key F5 BIG-IP vulnerability from denial of service to remote code execution, urging listeners to reassess any past patching priorities. If you manage infrastructure or handle certificates, this five-minute recap brings you up to speed on today's critical issues.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, March 31, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Orlando, Florida, and this episode is brought to you by the Sands Edu graduate Certificate program in Purple Team Operations. Well, in diaries today, Jesse is asking an interesting question. Well, first of all, when do honeypot sessions disconnect? First of all, a couple statistics here. Most honeypot sessions do last a very short time, a couple seconds. That's no surprise because you have a lot of attackers that will basically just connect, do a quick you name or a quick check like that, and then disconnect again. Now, there are a couple of outliers. There are a couple of sessions that last like several minutes. Also some sessions that do launch a large number of commands. Now, quite often these sessions are basically just sort of using these commands to transfer some kind of binary or such. So they're not actually sort of distinct, different commands, but really just repeats of the same command and then just adding more data to a particular binary. But what I find actually most interesting in Jeze's diary is what's the last command that an attacker executes in the honeypot? Because that command sometimes gives away why they're connected to a honeypot or that they're connected to a honeypot. So Jesse looked at some of these commands, and indeed, some of these commands have distinct different return values depending on whether or not they're running in a honeypot or not. So. Well, we'll probably have to fix up some of the responses here to keep them longer entertained in our honeypots. And then we had to do some experiment that let's Encrypt is running. It's a test of their mass revocation policy. So over the years, it always has been a problem if certificate authorities had to revoke a large number of certificates. More recently, the certificate authority baseline requirements do require that certificate authorities first of all must have a plan in how to revoke large numbers of certificates, and then they also must test it occasionally. This test is what let's Encrypt did now, and they took advantage of a new feature in their acme, the ARI feature or the ACME renewal information feature. The way this works is if you're running your script that basically checks if your certificates are still up to date and need to be renewed. Well, this script will also check in with the server authority and basically check, using the ACME protocol and this particular renewal feature, whether or not the certificate must be renewed ahead of time. And that's what they did here. Now they used the let's Encrypt staging environment that is of course used by users to test whether or not their certificate scripts and so properly work, so not the production environment. That way they avoided any impact on actual customers that use these certificates in production. At this point I haven't seen anything about any issues with that. Someone at Certkit, that's one of the clients that implements the ACME protocol, noted that their client dealt with this issue. But of course the vast majority of ACME clients out there right now will not support the ARI feature, so probably that went unnoticed to these users. If it does support the ARI feature, it will request a new certificate and also basically tell the civil authority which certificate replaces so this certificate can then be revoked and back in October F5 released an advisory about a big IP APM vulnerability, CVE2025 53521. But back in October they stated that this is a denial of service issue and I don't think back then I bothered covering it for that reason. Well they just re released the respective advisory stating not only that this vulnerability is now being exploited, but also that it turns out to be a remote code execution vulnerability after all, giving it now a CBSS score of now. Given that this particular advisory was originally released in October, there's a good chance that you already patched this vulnerability. But please double check you may have assigned a lower priority because of the categorization as a denial of service. It is now an already exploited remote code execution vulnerability. Well, and this is it for today. So thanks for listening, thanks for liking, thanks for subscribing and talk to you again tomorrow. Bye.