Hello and welcome to the Friday, September 19th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu graduate certificate program in penetration testing and ethical hacking.

In diaries today, we have a post by one of our undercredited interns, Nathan Smithen, who did look at the download directory in our curry honeypot.

That directory can be a little bit overwhelming for someone new to investigating Honeypots.

It's really important to sort of find quick methods to triage what's there and quickly

find patterns.

One of the very common patterns is something that Nathan is looking at here, and that's where

the bot has a small bash script that first downloads the actual bot then for multiple

architectures and executes them, hoping that one of those will work on the architecture on

the particular attacked victims' system.

Overall, this is something that you'll see a lot in honeypots and definitely something to sort of be

familiar with if you're trying to sort of work your way through a lot of these detects.

And in the past, we had a lot of sonic wall news and suggestions that it may be

zero days or that maybe firewalls were re-exploited after being exploited in the past and,

well, credentials being leaked by the firewall. Turns out that there was another thing that, well, we didn't quite consider yet.

And Sonic Wall published an advisory now that they found a good number, like 5% of their

customers, had their My Sonic Wall account compromised.

This was, again, a password brute force,

so not real vulnerability, I guess you could argue,

within My Sonic Wall other than maybe preventing brute forcing.

I'm not sure what mitigations they had in place for that.

...