SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, March 20th, 2026: Cowrie Strings; MSFT Intune Hardening; Unifi Network Update;
4 snips
Mar 20, 2026 Unusual strings captured in Cowrie honeypots and what they reveal about attacker behavior. A major abuse of Intune prompts concrete hardening advice and practical protections for endpoint management. A UniFi Network security update covers path traversal and NoSQL injection fixes and recommended mitigation steps.
AI Snips
Chapters
Transcript
Episode notes
Nation Mentions In Payloads Do Not Equal Nation State Attacks
- Mentioning a nation in an attack payload doesn't prove a nation-state operation.
- Attackers often insert strings for notoriety, testing, or to identify honeypots rather than political attribution.
Cowrie Honeypot Message Used As Presence Marker
- Johannes Ulrich describes an attacker adding a message string into Cowrie honeypot command lines to signal presence.
- The string "magic payload killer here or leave empty and then Iran bot was here" was used to mark commands and test honeypot responses.
Harden Intune With Phishing Resistant Auth And Multi Admin Approval
- Do harden Microsoft Intune with phishing-resistant authentication and limit admin privileges.
- Enable multi-admin approval for destructive actions like wiping devices to prevent single-account compromise wiping ~200,000 devices as in the Stryker incident.