Hello and welcome to the Friday, March 6, 2026 edition of the Sands Internet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in cloud security.

Today we got another guest diary from one of our undergraduate interns.

This time it was Joseph Grooons' turn to write up some of his observations from a honeypot.

Now, one of the things about honeypots is that honeypots

are usually easy to identify as a honeypot, and they're not typically getting you sort of

these serodays or targeted exploits, but they're really measuring sort of the background

radiation of the internet, as I sometimes call it, basically sort of all the background noise that you typically end up with from these

ubiquitous scans. And Joseph is going over one particular actor like that.

What you often have happening here is that these individual scanners are then sort of zooming in on a particular type of

exploit, type of artifact they're looking for. Now, where this becomes kind of valuable,

then is also when you're looking at our Honeypot network and the data we publish on the Internet

Storm Center website, if you're getting attacked by an IP address and you wonder,

hey, is this someone that's only attacking me,

or is this someone that is basically scanning the internet

for this particular issue?

Well, just search for the IP address on the Internet Storms Center website

and see what our sensors picked up about that IP address

and whether the activity that you are seeing is different in some ways.

And then sadly we do have another one of those open source library vulnerabilities to talk

about that may send you scrambling to figure out which particular systems

in your network are using this particular library.

...