SANS Internet Storm Center Stormcast Covers Redtail Malware, FreeBSD DHClient Vulnerability, and Linux Copy Fail Flaw

The May 1, 2026, SANS Internet Storm Center Stormcast covered three key cybersecurity threats. First, the Redtail malware, typically known for SSH-based cryptocoin miner installations via brute-force attacks, was found exploiting older web application vulnerabilities, including PHP unit flaws, PHP directory traversal, and remote code execution in PHP-CGI on Windows. These attacks target less-monitored systems, increasing malware persistence, and often indicate broader compromise beyond just cryptominers. Second, a critical remote code execution vulnerability in FreeBSD's DHClient was highlighted, allowing command injection via unescaped boot file names in DHCP lease files, exploitable on the same subnet and particularly risky for FreeBSD-based firewalls and routers. Third, the "Copy Fail" privilege escalation flaw in Linux kernels was discussed, affecting all recent distributions due to a crypto primitive issue that enables reliable exploitation, though patches were pending as of the broadcast. Additionally, a research paper by Brian Nice examined AI model supply chain risks, focusing on malicious code in Python-based pickle files used for model serialization, which can execute arbitrary commands during deserialization, with static scanning tools showing inconsistent detection rates.