SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, March 31st, 2026: Honeypot Session Lifetime; Let’s Encrypt Tests Mass Revocation; F5 RCE Exploited
Mar 31, 2026
Analysis of long-lived honeypot sessions that repeatedly run commands to transfer malware. A simulation of mass certificate revocation by a major CA and how ACME clients may handle replacement requests. A reclassification of an F5 BIG-IP flaw to remote code execution and the urgency of reprioritizing patches.
AI Snips
Chapters
Transcript
Episode notes
Last Command Often Reveals Honeypot Detection
- Attackers sometimes reveal they're in a honeypot by the last command they run before disconnecting.
- Jesse's diary showed commands with distinct return values that hint a honeypot response needs tweaking to keep attackers engaged.
Most Honeypot Sessions Are Very Short
- Most honeypot sessions are fleeting, often lasting only a couple seconds before disconnecting.
- Johannes Ulrich observed some outliers that run many repeated commands to stream binaries, revealing different attacker behaviors.
Let's Encrypt Tested Mass Revocation With ACME ARI
- Let's Encrypt tested mass revocation using the new ACME ARI feature in the staging environment to avoid impacting production.
- The ARI renewal check lets clients learn a certificate should be renewed and tells the CA which certificate replaces it for revocation.