Hello and welcome to the Friday, December 5th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Dallas, Texas.

And this episode is brought you by the sands.edu graduate certificate program in cloud

security. In diaries today, we do have one of our undergraduate interns again, Jackie Nobjian,

talking about one of the attack observations that she retrieved from her honeypot.

In this particular case, well, we have an S-H scan, so the initial entry vector here was a weak

username and password.

What made this sort of a little bit interesting is that the request appeared to come from

an Indonesian government system.

Then, of course, the question is always, can you somehow imply intent if such an a

utterance is used? Well, Jackie here looked closer at the particular sample. It was fairly

standard, sort of a standard S-S-H warm that we have so many of it.

So her conclusion here was that this was not actually any kind of government organized or attributable event,

but instead likely just another compromise system that just happened to be inside this particular government's

network. Of course, packets themselves usually don't speak to intent. We would have to observe

more what the particular attack was actually then after, but in this case, it didn't really

look like it was anything special.

In the past, some government actors, for example, have used similar techniques to attack

home routers and the like in order to then build more sophisticated attack networks.

Well, that's just a quick update on the React vulnerability.

There are now working proof-of-concept exploits out there that have been verified,

that can easily be adjusted in order to launch arbitrary code on vulnerable systems.

...