SANS Stormcast Tuesday, May 5th, 2026: Honeypot Update; MOVEit Patches; Apache http2 Vuln; - SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

Summary4 min read

SANS Stormcast – Tuesday, May 5th, 2026

Host: Johannes B. Ullrich
Key Topics: Honeypot Update, MOVEit Patches, Apache http2 Vulnerability
Duration: Approx. 5 Minutes

Episode Overview

This episode delivers a concise roundup of the day’s most important network security news, focusing on developments in honeypot research, critical vulnerabilities affecting MOVEit file transfer software, and an urgent patch for the Apache HTTP server. Johannes B. Ullrich highlights actionable steps for defenders and shares his own direct experiences and updates within the SANS environment.

Key Discussion Points and Insights

1. DShield Honeypot and Kaori Tooling Updates

(00:34 – 02:16)

Ubuntu 26.04 Compatibility:
- Johannes announces an updated DShield honeypot release enabling deployment on Ubuntu 26.04.
- “There was only one minor adjustment I have to make and it only affected the minimum install of Ubuntu. So if you have one of the normal server installs, well, it should just work out of the box.” (00:41)
Caution on Upgrading Ubuntu:
- He warns about some underlying changes in Ubuntu 26.04, particularly that core Linux utilities (e.g., mv, rm) have been rewritten in Rust, introducing new “time of check, time of use” vulnerabilities.
- Recommendation: Stick with Ubuntu 24.04 for production honeypots until stability is ensured:
  “Not necessarily recommending that you're upgrading to 26.04. And for now we definitely will still support 24.04 in particular since they are so similar.” (00:54)
Kaori Honeypot Adjustments:
- A bug affecting API key handling in Kaori (SSH and Telnet honeypot script) is being addressed.
- An update with a “revamp” is promised in the coming days.
- Johannes offers troubleshooting for anyone not seeing their SSH/Telnet logs reported correctly:
  “If you do observe that your SSH and Telnet reports are not being reported to us, well, let me know, and I can walk you through how to fix it. But that'll probably come in the next couple days as an official update…” (01:30)
What is Kaori?
- Clarified as “the Python script we use to simulate Telnet and SSH. Great little honeypot, and definitely a very useful tool for us.” (01:50)

2. MOVEit (Progress Software) Critical Security Updates

(02:17 – 03:15)

Two New Vulnerabilities Patched:
- MOVEit’s April update addresses a “high”- and a “critical”-rated vulnerability.
- Main risk: “Authentication bypass issues through the service backend command port interfaces.” (02:25)
Mitigation Tips:
- “I don't think they need to be exposed. So that's something to look at to further maybe protect those interfaces, those IP addresses from external access.” (02:30)
Importance of Immediate Patching:
- Past MOVEit flaws were exploited for ransomware, making new vulnerabilities highly attractive to attackers.
- No other mitigation steps suggested by the vendor besides patching:
  “The reason I cover this software is that in the past it has been used to deploy ransomware. So it's certainly on the radar of the bad guys and they may already be working on an exploit.” (03:04)

3. Apache HTTP Server (http2) Remote Code Execution Vulnerability

(03:16 – 04:22)

Critical RCE Fix in http2 Module:
- New Apache release (2.4.67) fixes a bug in the http2 module that could allow remote code execution—often enabled by default.
Specificity of Vulnerable Version:
- Only version 2.4.66 is affected, and “you probably then downloaded from Apache itself and compiled from source only.”
- “Most distributions fix themselves on, you know, a particular version and then just sort of apply some bug fixes, security fixes, so they don't appear to be vulnerable.” (03:49)
Action for Defenders:
- Double-check for distribution-specific patches or updates to be certain your platform is safe.
- “A little bit hard to tell what's being backported or not. Double check that there are no Apache updates for your particular Linux distribution, but so far I haven't really seen that affect any particular Linux distribution.” (04:02)

Memorable Quotes & Moments

On Community Feedback:
“It's always a little bit hard to tell what actually is actionable for you in these podcasts. So any feedback to that effect is highly welcome.” (04:36)
On MOVEit’s Risk Profile:
“It's certainly on the radar of the bad guys and they may already be working on an exploit.” (03:08)

Important Timestamps

00:34: Honeypot Ubuntu compatibility news
00:54: Cautions regarding Rust-based vulnerabilities in Ubuntu 26.04
01:30: Kaori honeypot bug and update preview
02:17: MOVEit vulnerabilities summary
03:16: Details about Apache http2 remote code execution risk
04:36: Final call for listener feedback

Summary Takeaways

Honeypot deployments: Now compatible with Ubuntu 26.04 (with caveats), and Kaori improvements coming soon.
Critical vulnerabilities: MOVEit users must patch immediately—risks are severe and actively targeted. Administrators should also verify Apache http2 deployments and patches.
Stay vigilant: Industry landscape is quickly evolving, with new vulnerabilities driven by upstream software changes.
Johannes’ tone: Practical, matter-of-fact, and open to community input, making this a valuable morning snapshot for security professionals.

For detailed instructions or unique platform situations, always refer to official advisories and consider reaching out directly with reporting or troubleshooting needs.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, May 5, 2026 edition of the sans Internet Stormcenters Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida, and this episode is brought to you by the Sans Edu Graduate Certificate Program in Penetration Testing and Ethical Hacking. Well, in diaries today I gave a little update on the D shield honeypot I released today, a VERS that will actually allow you to run it on the latest version of Ubuntu 2604. There was only one minor adjustment I have to make and it only affected the minimum install of Ubuntu. So if you have one of the normal server installs, well, it should just work out of the box before you Upgrade to Ubuntu 2604. Realize that some of the base utilities of Linux, like Move, RM and the like, they were rewritten in Rust in that version and apparently it had actually led to some other vulnerabilities, like some time of check, time of use vulnerabilities. So not necessarily recommending that you're upgrading to 2604. And for now we definitely will still support 2404 in particular since they are so similar. But if you have a new 26.04 system, well, the honeypot should just work nicely on it. Also making some adjustments to Kauri that'll take a little bit longer. There was one odd sort of encoding issue where some of the API keys weren't used correctly. So if you do observe that your SSH and Telnet reports are not being reported to us, well, let me know and I can walk you through how to fix it. But that'll probably come in the next couple days as an official update to the Honeypot, including sort of a little bit of revamp of Kauri itself. Kauri, if you're not familiar with it, that's the Python script we're to simulate Telnet and ssh. Great little honeypot, and definitely a very useful tool for us. And Progress, the maker of the file management software Moovit, has released their April update fixing two different vulnerabilities. One is rated high, one is rated critical. Well, the end result is that you have authentication bypass issues through the service backend command port interfaces. I don't think they need to be exposed. So that's something to look at to further maybe protect those interfaces, those IP addresses from external access. But please refer to the details here. From Progress on how to properly configure MoveIt. I'm not that familiar with this particular piece of software. Either way, no real sort of additional items here from progress as to what else you could do but patch. So go ahead and patch. The reason I cover this software is that in the past it has been used to deploy ransomware. So it's certainly on the radar of the bad guys and they may already be working on an exploit. And then we have an update for the Apache HTTP server. This update isn't so far significant that it fixes, yes, a number of vulnerabilities, but one in particular could possibly lead to remote code execution. It's part of the HTTP 2 module, so something that's often enabled. However, and that's a big sort of constraint here is only one specific version is affected 2466 that's the version prior to today's version, version 2467. So only if you downloaded this very specific version, which you probably then downloaded from the Apache itself and compiled from source only, then your vulnerable. Most distributions fix themselves sort of on, you know, a particular version and then just sort of apply some bug fixes, security fixes, so they don't appear to be vulnerable. Of course, obviously a little bit hard to tell what's being backported or not. Double check that there are no Apache updates for your particular Linux distribution, but so far I haven't really seen that affect any particular Linux distribution. Well, and that's it for today, so thanks for listening and specifically thanks for anybody who is like sending information about what you would like to hear more about or less about for that matter. It's always a little bit hard to tell what actually is actionable for you in these podcasts. So any feedback to that effect is highly welcome and talk to you again tomorrow. Bye.