SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Wednesday, April 8th, 2026: Pivoting for Webshells; WatchGuard Firebox Patch; Project Glasswing; Kubernetes Misconfigurations
Apr 8, 2026
Scans searching for web shell filenames and why attackers favor WordPress-like names. How to detect malicious web shells beyond simple filename lists. A WatchGuard Firebox path traversal flaw that can enable arbitrary file writes. Anthropic's Project Glasswing giving vendors AI access to find vulnerabilities earlier. Real-world Kubernetes attacks from misconfigurations and stolen CI/CD credentials.
AI Snips
Chapters
Transcript
Episode notes
Attackers Probe Hundreds Of Web Shell Names
- Attackers scan widely for many web shell filenames rather than a single name.
- Johannes Ulrich saw four Microsoft-cloud IPs probe ~280 specific web‑shell filenames across sensors, including WordPress‑style paths.
Monitor For New Files Not Just Known Shells
- Do monitor for new or unexpected files rather than only matching known web shell filenames.
- Johannes recommends file‑system monitoring because attackers use large, changing lists (he saw ~280 names).
WatchGuard Firebox Arbitrary File Write Example
- WatchGuard disclosed a Firebox web UI path‑traversal that allows authenticated arbitrary file write and execution.
- Johannes notes authentication is required to exploit, but written files can be placed in executable locations so patching is needed.