SANS Internet Storm Center Discusses Cybersecurity Topics

In this July 7, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich discusses several fascinating topics related to cybersecurity. He begins by talking about interesting usernames observed in honeypots, recent vulnerabilities in sudo, and very short-lived certificates. Firstly, Ullrich mentions unusual usernames like "not a chance. This is real." which are used to identify honeypots. Honeypots, such as those based on Cowrie, sometimes allow random credentials to observe the actions of attackers. However, attackers can exploit this by using clearly fictitious username and password combinations to detect honeypots. Other notable usernames include "SCADA admin" related to Rapid SCADA systems, and names like "GPU001" and "GPU00002" which seem to be used as hostnames in some systems hosting GPUs. Next, Ullrich addresses a recent vulnerability in sudo, discovered by Rich Merge of Strata Scale. This vulnerability concerns the "host" option in sudo, which allows a user to specify a different host. Although this option is intended to be used with the "list" option, it also works with the "edit" option, allowing a relatively trivial privilege escalation. This vulnerability, present for 13 years, has been fixed in most Linux distributions. Ullrich then moves on to the Citrix Bleed 2 vulnerability, patched about two weeks ago. Watchtower provided a detailed explanation and a proof-of-concept exploit. The vulnerability resides in the login page and how the login parameter is parsed. By sending a POST request to the authentication endpoint with specific content, the vulnerability can be triggered, returning random memory content in the response field. Finally, Ullrich discusses the growing trend of very short-lived certificates, such as those used by Instagram. These certificates, valid for only 7 days, are renewed daily to avoid update issues near the expiration date. This practice demonstrates how to operationalize very short-lived certificates, a trend initiated by Let's Encrypt. These insights have important practical implications for cybersecurity professionals. Understanding how attackers identify honeypots can help improve defense strategies. Additionally, vigilance regarding vulnerabilities in commonly used tools like sudo is crucial for maintaining system security. Finally, adopting short-lived certificates can enhance security by reducing the window of exposure to attacks.