SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, February 13th, 2026: SSH Bot; OpenSSH MacOS Change; Abused Employee Monitoring
12 snips
Feb 13, 2026 Analysis of a fast self‑propagating SSH worm and its unusual IRC command-and-control technique. A discussion of OpenSSH changes on macOS and a new quantum-safe algorithm warning for older servers. Coverage of how employee monitoring and remote support tools are being misused to run attacker code. Practical reminders to lock down and monitor remote management systems.
AI Snips
Chapters
Transcript
Episode notes
IRC-Backed SSH Worm Observed
- Jonathan Husk analyzed an SSH worm that uses IRC as a command-and-control channel, a technique Johannes notes hasn't been common lately.
- The worm tries predictable credentials like "raspberry" and an odd "raspberry 993311" password observed across other bots without clear origin.
Quantum-Safe Warnings From OpenSSH
- OpenSSH 10.1+ introduced a client warning about servers lacking quantum-resistant algorithms, and macOS moved from OpenSSH 10.0 to 10.2.
- The warning doesn't block connections but prompts admins to consider upgrading server cryptography.
Admin Tools Are Reusable Attack Paths
- Many legitimate remote management tools include execution features intended for maintenance, which create high-risk abuse paths when compromised.
- Past incidents show attackers repeatedly weaponize such admin tooling, so this is a recurring operational risk.