SANS Stormcast Summary: March 31, 2026

Host: Johannes B. Ullrich
Episode Theme:
A concise briefing focused on recent developments in honeypot research, Let's Encrypt’s mass certificate revocation test, and an important F5 BIG-IP vulnerability reclassification.

Key Discussion Points & Insights

1. Honeypot Session Lifetimes & Attacker Behavior

• Typical Session Duration

  • Most honeypot sessions are extremely brief, often just a few seconds as attackers connect, perform simple commands (like uname), then disconnect.
    • “Most honeypot sessions do last a very short time, a couple seconds.” (01:05)

• Longer Sessions & Repeated Commands

  • Outlier sessions last several minutes, usually running the same command repeatedly to transfer binaries or data.
    • “Some sessions … do launch a large number of commands… just repeats of the same command and then just adding more data to a particular binary.” (01:30)

• Revealing Last Commands

  • Analyzing the final command executed often reveals if attackers detect they're in a honeypot or hints at their overall purpose.
  • Some commands evoke distinct responses within honeypots, unintentionally tipping off attackers.
    • “[The] last command … sometimes gives away why they’re connected to a honeypot or that they’re connected to a honeypot.” (01:50)
    • Johannes notes they may need to “fix up some of the responses here to keep them longer entertained in our honeypots.” (02:20)

2. Let’s Encrypt Tests Mass Revocation Procedures

• Purpose of the Test

  • Let’s Encrypt conducted a test simulating mass revocation to align with baseline requirements that mandate certificate authorities maintain and test large-scale certificate revocation plans.
    • “Certificate authority baseline requirements … must have a plan in how to revoke large numbers of certificates, and then … must test it occasionally. This test is what Let’s Encrypt did now.” (02:35)

• ARI Feature

  • The test centered on the ACME Renewal Information (ARI) feature, which allows automated tools to efficiently check if a certificate must be renewed in light of a revocation.
    • “If you’re running your script … will also check in with the server authority … whether or not the certificate must be renewed ahead of time.” (03:20)

• Scope and Impact

  • Only the staging environment was used; production certificates were unaffected.
  • No widespread issues observed—most ACME clients don’t yet support ARI, so many users likely remained unaware.
    • “[They] avoided any impact on actual customers … vast majority of ACME clients out there right now will not support the ARI feature, so probably that went unnoticed.” (03:50)

3. F5 BIG-IP CVE-2025-53521: Denial of Service to RCE

• Vulnerability Update

  • F5 initially published in October what was believed to be a denial of service issue affecting BIG-IP APM components.
    • “Back in October F5 released an advisory about a BIG-IP APM vulnerability … stated that this is a denial of service issue.” (04:15)

• Escalation to Remote Code Execution (RCE)

  • Recent advisory update reclassifies the issue as an actively exploited remote code execution vulnerability, increasing its urgency and CVSS score.
    • “They just re-released the respective advisory … that this vulnerability is now being exploited … a remote code execution vulnerability after all.” (04:30)
    • “You may have assigned a lower priority because of the categorization as a denial of service. It is now an already exploited remote code execution vulnerability.” (04:55)

• Action Items

  • Listeners are urged to double-check patch status, especially if initial urgency was low due to the original classification.

Notable Quotes & Memorable Moments

• On attacker behavior in honeypots:
  • “Most honeypot sessions do last a very short time, a couple seconds. That's no surprise because you have a lot of attackers that will basically just connect, do a quick uname or a quick check like that, and then disconnect again.” (01:05)
• On honeypot detection by attackers:
  • “What I find actually most interesting... is what's the last command that an attacker executes in the honeypot? Because that command sometimes gives away why they're connected... or that they're connected to a honeypot.” (01:50)
• On Let's Encrypt’s responsible testing:
  • “They took advantage of a new feature in their ACME … the ARI feature ... they used the Let's Encrypt staging environment ... to avoid any impact on actual customers.” (03:25)
• On F5 BIG-IP urgency:
  • “It is now an already exploited remote code execution vulnerability.” (04:55)

Timestamps for Important Segments

• 00:04-01:50 — Honeypot session duration and attacker behavior
• 01:50-02:20 — Attackers' last commands and potential honeypot detection
• 02:20-03:50 — Let’s Encrypt mass revocation testing and the ARI feature
• 03:50-04:55 — F5 BIG-IP vulnerability update: From denial of service to RCE, action steps

Tone & Style

• Direct, analytical, clue-driven
• Educational, with a focus on immediate security actions
• Brief yet detailed; practical advice for defenders

Summary:
In this episode, Johannes B. Ullrich covers cutting-edge observations from honeypot monitoring, provides insight into how Let’s Encrypt responsibly tested its ability to handle mass certificate revocation, and urgently highlights the escalation of a key F5 BIG-IP vulnerability from denial of service to remote code execution, urging listeners to reassess any past patching priorities. If you manage infrastructure or handle certificates, this five-minute recap brings you up to speed on today's critical issues.