
SANS Stormcast Episode Covers DNS NAPTR Records, RCS, OpenSSH Vulnerabilities, and North Korean Threat Actor Activity
The July 7, 2026, SANS Internet Storm Center Stormcast episode highlights lesser-known DNS records, specifically NAPTR records, which allow result rewriting via regular expressions and were defined in an RFC from 2000. These records were observed in home network traffic, later identified as part of Rich Communication Services (RCS), a modern SMS replacement using SIP (Session Initiation Protocol) deployed by carriers like Verizon and AT&T. While NAPTR records in RCS do not exploit regex functionality, they are also used in an international e-invoicing protocol, though its adoption remains unclear. The episode notes OpenSSH 10.4, released to address security issues—including an SFTP client vulnerability enabling file writes to unintended directories—and introduces post-quantum signature algorithm support, though distribution updates may backport fixes. BeyondTrust disclosed four recently patched vulnerabilities, two enabling authentication bypass in specific configurations, with fixes included in an April rollup. A North Korean threat actor was reported targeting developers via malicious GitHub pull requests, disguising changes by altering Git history and expanding attack vectors to Go, Chrome extensions, and Node.js. The key takeaway emphasizes monitoring DNS traffic for unusual records and scrutinizing Git history beyond surface-level reviews.