Handler on Duty: Rob VandenBrink
Threat Level: green
Podcast Detail
SANS Stormcast Tuesday, June 30th, 2026: Favicon Recon Automation; Targeting Messaging; Gemini CLI vuln; IPv6 Frag Escape
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9988.mp3
My Next Class
Click HERE to learn more about classes Johannes is teaching for SANS
Adding some Automation to the favicon.ico method of Host Recon
https://isc.sans.edu/diary/Adding%20some%20Automation%20to%20the%20favicon.ico%20method%20of%20Host%20Recon/33110
Russian Intelligence Services Continue to Target Commercial Messaging Applications
https://www.ic3.gov/PSA/2026/PSA260626
Google Gemini CLI Vulnerability CVE-2026-12537
https://github.com/advisories/GHSA-jj69-4grx-fqj5
IPv6 Frag Escape
https://github.com/sgkdev/ipv6_frag_escape
My Upcoming Classes
https://www.sans.org/profiles/dr-johannes-ullrich
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 13th - Jul 18th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | British Summer Time | Jul 27th - Aug 1st 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 21st - Sep 25th 2026 |
| Network Monitoring and Threat Detection In-Depth | Amsterdam | Nov 9th - Nov 14th 2026 |
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 14th - Dec 18th 2026 |
Podcast Transcript
Hello and welcome to the Tuesday June 30th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Riyadh, Saudi Arabia. And this episode is brought to you by the SANS .edu graduate certificate program in industrial control system security. One of the critical parts of any penetration test is reconnaissance and identifying resources at risk that need to be considered as part of the scope of a penetration test. Well, one way to find web services that may be related to a particular entity is to look for favorite icons. Websites typically use company logos and the like as favorite icons. So different websites having the same favorite icon are likely maintained by the same organization. And there is a neat way of doing this. There is a hash you can calculate for the favorite icon of a website and then you can search Shodan for this hash. Well, Rob is talking here in today's diary about how to use the information retrieved from Shodan, in particular if you are receiving a lot of hits, to more automate than the collection of the data and do some initial citing of the data to see which resources may apply and may need to be tested. And the FBI is warning yet again of attacks against messaging services, in particular Signal. Now, these attacks are currently, according to the FBI, being used against targets of high intelligence value. Likely the attacker is related to the Russian government. But the attacks are simple enough where I think, well, criminals will probably use the same technique pretty soon if they are not already using this technique. The goal here is to gain access to the backup recovery key. What you will receive is a message via Signal or other messenger services that will basically instruct you to create a backup recovery key. Usually some kind of ruse is being used, like your account or your messages are about to be deleted. And it's sometimes sort of framed like this is actually a key that helps you to back up your messages, which, well, it's not really in this case. So the victim is then tricked into copy pasting the backup recovery key to the attacker's message. And with that, the attacker now gains access of the victim's account. One interesting tidbit here is if you realize that you fell for this particular ruse, you are deleting your account, you're creating a new account, but you're still using the same phone number. Well, the backup recovery key will remain valid, will remain the same key. So that technique of deleting the account, setting up a new account, doesn't work if you retain the same phone number associated with the account. And Google is worrying about vulnerability in the command line interface for its Gemini AI tools. This is yet again one of those vulnerabilities that's exploitable if a developer is checking out a repository. The only thing an attacker here needs to do is convince the victim to check out a repository with a malicious .gemini.env file. This then can lead to arbitrary code execution. Google assigned this vulnerability a CVS score of 10. And I have to admit, the next vulnerability I'm going to talk about, well, it initially caught my eye for all the wrong reasons, because I saw, hey, it's IPv6 fragmentation related. And yes, it is. But this is not a vulnerability that's actually exploitable by sending IPv6 packets remotely across the network. This vulnerability discovered by Massimoiano -Oldani does take advantage of some memory allocation issues with IPv6 buffers in the operating system and takes advantage of the vulnerability in such a way that an unprivileged user can use the vulnerability to actually gain access to a root shell on the host. So a complete container escape, which given the prevalence of containers and how many people are relying on them for some kind of security isolation is certainly a severe problem and something that does deserve some attention. Not all Linux variants and distributions are vulnerable. It relies on buffers not properly being cleared between use, but some major vulnerable distributions, like, for example, CentOS, are doing just that. They're not clearing out these buffers, so they are vulnerable. Well, and this is it for today. So thanks for listening. Thanks for liking. Thanks for recommending this podcast. And as always, talk to you again tomorrow. Bye.
Have you seen our swag? Buy SANS ISC Gear
© 2026 SANS™ Internet Storm Center
Developers: We have an API for you! 