Summary4 min read

SANS Stormcast Summary – April 8, 2026

Overview

In this episode, host Johannes B. Ullrich delivers a compact, expert overview of the hottest security events: webshell pivoting and fingerprinting across WordPress sites, a critical WatchGuard Firebox vulnerability patch, Anthropic's Project Glasswing for AI-driven vulnerability discovery, and a real-world Kubernetes supply chain attack breakdown from Palo Alto’s Unit 42. The episode emphasizes the evolving threat landscape as attackers and defenders ramp up their automation and sophistication.

Key Discussion Points & Insights

1. Pivoting for Webshells (00:10 – 02:40)

Context & Observations:
Johannes investigated four IP addresses (all Microsoft Cloud-associated) repeatedly scanning for the "Turkshell" webshell (PHP-based).
- Webshells operate as backdoors for persistent access, deployed via vulnerable web applications (e.g. remote code execution or file upload bugs).
- Attackers often scan for pre-installed webshells they didn’t plant themselves, exploiting insecure passwords set by others—a form of “parasitic” cybercrime.
Attack Patterns & Fingerprinting:
- The IPs probed for 200+ different webshell-like URLs, sometimes “fingerprinting” sites, apparently seeking specifics about deployed shells.
- Many file names attempt to blend in with WordPress environments, no surprise given WordPress’s notorious vulnerability record.
Defensive Recommendations:
- Don’t rely on blacklists of known webshell filenames—attackers use endless variations.
- Generic defenses work best: Monitor for any new files on web servers, especially in writeable directories.
- Reference: Ullrich posted the observed filename list in his diary, but warns “you’re never going to capture them all or even close to all” by filename alone.

“Lessons learned here: Don’t look for just specific web shell names… Do some more generic monitoring, look for new files on file systems and such. That’s probably more fruitful than just looking for the list of file names.”
— Johannes B. Ullrich [01:50]

2. WatchGuard Firebox Patch – Arbitrary File Write Vulnerability (02:41 – 03:33)

Advisory Details:
- WatchGuard releases a patch for Firebox appliances: authenticated users could exploit a bug to write and execute arbitrary files.
- Although authentication is required (reducing exposure), the attack would let adversaries plant webshells or other malicious code.
Recommended Actions:
- Patch immediately.
- Upon patching, “double check that there are no new files on the system” (i.e. look for post-compromise artifacts).

“Files are being written into locations that can then be executed. So definitely something you want to patch… and as you patch, double check there are no new files on the system.”
— Johannes B. Ullrich [03:25]

3. Project Glasswing – Anthropic’s AI for Vulnerability Discovery (03:34 – 04:18)

Announcement:
- Anthropic unveils “Project Glasswing” leveraging their new Mythos 2 AI model.
- This AI can reportedly find software vulnerabilities “at a scale that far surpasses what prior models did.”
Responsible Disclosure & Collaboration:
- To mitigate risks of attackers leveraging the tech, Anthropic has partnered with around 30 major critical software vendors, giving them first access.
- Aim: Help defenders outpace attackers using similar AI models.
Outlook:
- Potentially, widespread software vulnerabilities may become less common if defenders adopt these tools before threats surface.

“Maybe a year from now we don’t have to talk each week about vulnerabilities in software like we just had with Firebox or other security products.”
— Johannes B. Ullrich [04:12]

4. Kubernetes Misconfigurations & Real-World Breach (04:19 – 05:02)

Case Summary:
- Palo Alto’s Unit 42 published a postmortem of an attack chain against Kubernetes observed in production.
- Unlike simpler attacks, this one began with a developer-targeted spear phishing campaign to steal credentials.
- Using stolen creds, the attacker:
  - Connected to the Kubernetes entry point
  - Deployed a malicious pod
  - Harvested further credentials exposed via CI/CD pipelines attached to the pod
Misconfiguration Focus:
- Attack success hinged on Kubernetes misconfigurations and pipeline exposures—common, avoidable mistakes.
- Strongly recommended: Review Unit 42’s report for practical defense insights.

“It really outlines a couple of fundamental configuration issues that are often found in Kubernetes… outline some of the real attacks that have been seen by Palo Alto and Unit 42 against these kinds of setups.”
— Johannes B. Ullrich [04:53]

Memorable Quotes

| Timestamp | Speaker | Quote | |-----------|---------------------|------------------------------------------------------------------------------------------------| | 01:50 | Johannes B. Ullrich | “Don’t look for just specific web shell names…Do some more generic monitoring, look for new files on file systems and such…” | | 03:25 | Johannes B. Ullrich | “Files are being written into locations that can then be executed. So definitely something that you want to patch… and, as you patch, double check that there are no new files on the system.” | | 04:12 | Johannes B. Ullrich | “Maybe a year from now we don’t have to talk each week about vulnerabilities in software…” | | 04:53 | Johannes B. Ullrich | “It really makes some good points here and outlines some of the real attacks that have been seen by Palo Alto and Unit 42…” |

Timestamps for Key Segments

00:10–02:40: Webshell scanning, attacker behavior, defensive recommendations
02:41–03:33: WatchGuard Firebox arbitrary file write patch details
03:34–04:18: Anthropic’s Project Glasswing and AI-powered vulnerability discovery
04:19–05:02: Kubernetes supply chain attack recap and misconfiguration advice

Concluding Notes

Johannes wraps by thanking listeners and reminding defenders to both stay patched and proactively audit their own infrastructure—emphasizing baseline hygiene over chasing the ever-changing list of known bads. He highlights collaboration and AI as hopeful trends in outpacing adversaries, but underscores configuration basics remain critical.

For more detailed lists and full diary entries, refer to the SANS Internet Storm Center website.

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Wednesday, April 8, 2026 edition of the sans Internet StormCenter's Stormcast. My name is Johannes Ulrich, recording you today from Jacksonville, Florida, and this episode is brought to you by the SANS Edu Graduate Certificate Program in Cyber Defense Operations. Now today I did, as the title of today's diary states, a little bit of pivoting looking web shells. I noticed four distinct IP addresses, all associated interestingly with Microsoft's cloud services that scanned our sensors for a specific web shell. Turkshell, php. Nothing that sort of fancy or special about this particular web shell, but web shells are sort of the backdoor, the type of sort of persistent mechanisms being deployed against vulnerable web applications, either with remote code execution or with an arbitrary file upload vulnerability. And then they're not just used by the original attacker, but they're also parasitic attackers. And that's apparently what we have here that are looking for pre installed web shells and are trying to exploit them because attackers often don't pick strong passwords either. And that's what I then looked in further, looked at those four IP addresses and what other URLs they were scanning and turned out well, it was over 200 different URLs. They look for all of them apparently associated with web shells. There were a couple in there where I think they looked for vulnerabilities or really just did some fingerprinting on the site to see maybe what particular web shell may be present. One of the things here, one of the themes in the file names was also that many of them tried to sort of fit in with WordPress websites and well, that's no surprise with all the WordPress vulnerabilities around these days. And of course that being sort of a favorite attacker target. Lessons learned here don't look for just specific web shell names. This particular attacker looked for I think 280 or so different file names. There are probably many, many more out there. So you're never going to capture them all or even close to all. Instead, do some more generic monitoring, look for new files on file systems and such. That's probably more fruitful than just looking for the list of file names that I posted here as part of this diary and talking about arbitrary file rights being used to Deploy web shells. WatchGuard actually did release an advisory stating that they have just this type of vulnerability in their Firebox appliances. Now this doesn't make it that severe because in this particular instance you have to be authenticated in order to exploit this particular vulnerability. But they also state it can be used for arbitrary file execution. So yes, files are being written into locations that can then be executed. So definitely something that you want to patch and, well, as you patch it, double check that there are no new files on the system. And I think it was just yesterday that I talked about some of the progress being made in finding software vulnerabilities using AI models. Today Anthropic did release a new project, project classwing, and what it does is apparently the latest and greatest model released by Anthropic Mythos 2. Well, it is actually able to find vulnerabilities at the scale that far surpasses what prior models did in order responsibly use this model. What Anthropic did here is essentially get sort of something like 30 different companies together that are specifically creating critical software, giving them sort of first access to this new model to hopefully outpace some of the attackers using similar models to then find the same vulnerabilities. And maybe a year from now we don't have to talk each week about vulnerabilities in software like we just had with Firebox or other security products. Now, one of the companies that's participating in Project Last Wing is Palo Alto, and their Project 42, or Unit 42, did publish today an interesting summary of attacks against Kubernetes that they're seeing. I guess the good news is that it wasn't just a passwordless exposed API that was exploited, but instead the attacker had to go through through the trouble of actually spearfishing a developer to steal credentials. After that it became relatively straightforward. The attacker was able to connect to the Kubernetes entry point, deploy their own malicious pod, and then from there on go along and steal various credentials via the CID CD pipelines that were exposed to this particular pod that the attacker exploited. Pretty interesting attack, and it really sort of outlines a couple of fundamental configuration issues that are often found in Kubernetes. So if you are deploying Kubernetes, then please make sure to take a look at this post by unit42 because it really makes some good points here and outline some of the real attacks that have been seen by Palo Alto and Unit 42 against these kind of setups. Well, and that's it for today. Thanks for liking, thanks for subscribing, thanks for recommending this podcast. Remember, no podcast on Friday, but until then, well talk to you again tomorrow. Bye.