SANS Stormcast Highlights Cybersecurity Threats Including VPN Backdoors, Ransomware Tactics, and Windows Server Bug

The May 29, 2026, episode of the SANS Internet Storm Center Stormcast highlighted several cybersecurity threats and anomalies. A honeypot analysis revealed attackers uploading PowerShell scripts to Linux-based systems via SSH or Telnet, possibly targeting misconfigured or PowerShell-enabled Linux environments. The Urban VPN extension for Chrome and Edge, with millions of downloads, contained a backdoor allowing any website to disable the VPN silently by sending specific keywords, alongside a flawed opt-out mechanism for data collection. The FBI issued a flash alert about the 'Silent Ransom Group,' which escalates tech support scams by physically sending operatives to victim locations—particularly law firms—to deploy malicious USB devices. Windows Server 2016 systems experienced a bug in the latest security update, preventing hostname resolution for names exactly 15 characters long, with no official fix beyond renaming affected systems. The episode also noted the release of a research journal compiling student papers from the past year.