Hello and welcome to the Thursday, January 8, 2026
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich, recording today from
Jacksonville, Florida. And this episode is brought to you
by the SANS.edu graduate certificate program in
Incident Response. Today we got another fishing diary from
Jan. Jan is writing about actually a set of emails that
I've seen coming into our internal handlers alias over
the holidays. At first I was a little bit worried of
attackers kind of trying some new tricks over the holidays,
maybe trying to outrun some of the defenders here, because of
course during the holidays many of them may have taken
the day off, and people also are less likely to make like
big updates to their infrastructure over holidays.
Well, the small but significant change here was
that QR codes in these emails were actually encoded as an
HTML table. So yeah, looks like a QR code, it may be a
little bit squished, but of course QR codes are designed
to be rather resilient to like distortions and such like
that, because after all it's the same as pointing your
phone on a QR code from likely a little bit odd angle. That's
sort of why they work, even if they aren't really perfect.
And a lot of email protection solutions have started looking
at QR codes in order to filter out some of these sort of out
-of-band attacks, where victims are being tricked to
then use their local phone to complete the phishing attack,
which of course then isn't caught often by enterprise
security solutions. So that's the latest trick here. And of
course now I hope that some of defenders, some of the anti
-phishing solutions will add this to their repertoire. And
well, let's see what attackers are coming up next. And if you
are into phishing, please include us in your phishing
mailing list. So that way we also get copies of whatever
you're trying next. And over the last couple of days there
were actually, I think, a total of four critical
vulnerabilities in N8N. I think some people pronounce it
also Nathan. N8N, that particular tool is geared
towards the use of AI agents in order to automate
processes. So what on a high level this tool does is it
ingests data and then performs actions based on that data.
The problem is a lot of the time this data comes from
untrusted sources. And while N8N attempts to set up proper
sandboxes and such around these processes, well, there
are limits to what it can do. And you have sort of the
classic issue where the data being ingested from the
sources and the code, meaning the prompts for your AI tools,
aren't clearly separated from each other. And that, of
course, then leads to vulnerabilities like, for
example, the uploads of files being used to then execute
code in the end. There's been some controversy around these
particular vulnerabilities. Not all of them are
unauthenticated. This latest one that has been branded an
i8mare or nightmare has allowed the code execution
without authentication. But then, of course, it always
depends on how you exactly configure the tool, who you
allow to actually upload data and where the data is coming
from. So, what that risk really means to you very much
depends on the particular use case that you're employing the
tool here at. And certainly something that's easy to sort
of condense in a simple number like a CVSS score. In
particular, of course, if you're running N8N on-premise,
then, of course, you need to update. If you're using the
cloud version, well, they took care of it for you. Then I
mention this mostly because, well, I know it's a very
popular product. Unify Protect did release an update that
does fix remote code execution vulnerability. However, an
attacker must be located in a JSON network. It's one of
those network discovery protocol vulnerabilities. So,
these protocols or these packets are usually not
routed. That's why you need the JSON network position here
in order to exploit it, update it, and, well, with that also
get probably some new features with this product. And it's
also relatively easy to enable auto updates for Unify
Protect. Well, and then to close out this podcast today,
just a little bit sort of an awareness item over the last
years and such that I run this podcast. One recurring item
has been IoT vulnerabilities. And apparently there is
currently sort of a trend, and I've seen this a little bit
too, that the power banks are gaining more and more
features. In part, they are also gaining network
connectivity. So, these used to be these fairly bland,
usually black blocks that are, isn't just a battery that you
can charge and discharge, but now they apparently include Wi
-Fi access points, screen savers, and all kinds of other
fancy features. And that came up in an article at The Verge,
and part of the CES coverage, which is going on this week.
And certainly something to be aware of. And if you are
buying devices like this, probably stick with the simple
one and only buy features that you actually need. Part of
this is also that the price of these devices has gone up
quite a bit as they have added these additional features.
Well, and this is it for today. So, thanks for
listening. And we have our first winner for a bug report.
Turns out, well, this week I'm working somewhat on the
scripts that are publishing this podcast. Trying to sort
of get rid of that silence in the beginning and a couple
other little things. But, well, I had to do some testing
and it looks like in some podcast players one of the
test audio files sort of was stuck and didn't get
overwritten by the real file that I released later. So,
sorry for that. And yeah, so the first sticker is gone. And
if you have any kind of feedback, any bugs, errors, or
other things that you found in the podcast, well, please let
me know. And yes, you'll get a sticker in the mail as a
reward. Thanks and talk to you again tomorrow. Bye.
Bye.
And thanks for listening. Thank you.
