SANS Stormcast Friday, February 13th, 2026: SSH Bot; OpenSSH MacOS Change; Abused Employee Monitoring

The latest Stormcast episode highlights a resurgence of IRC as a command‑and‑control (C2) vector. An observed botnet leverages IRC channels, a technique thought dormant, and attempts default Raspberry Pi credentials such as "raspberry" and the more obscure "raspberry993311." This underscores the continued relevance of legacy protocols and weak default passwords in modern attacks, prompting security teams to audit IoT device configurations and enforce strong, unique credentials.

Apple’s recent OpenSSH update for macOS now prints a warning when a remote server lacks quantum‑resistant algorithms. While the connection proceeds, the notice nudges administrators toward post‑quantum cryptography, emphasizing the industry’s shift toward future‑proof encryption. Organizations running older Linux distributions, like Ubuntu 20.04, should prioritize algorithm upgrades or patch OpenSSH to avoid compliance gaps and potential exposure to quantum‑capable adversaries.

The episode also warns of abuse of remote monitoring tools. NetMonitor, a productivity‑tracking solution, was co‑opted to execute arbitrary code, illustrating how legitimate management platforms become “living‑off‑the‑land” assets for attackers. Coupled with a newly disclosed PAN‑OS vulnerability—where repeated DNS‑protection triggers force a firewall into maintenance mode—these findings stress the need for strict access controls, continuous monitoring of privileged tools, and rapid patch deployment. Proactive segmentation, multi‑factor authentication, and regular vulnerability scanning are essential defenses against such supply‑chain and infrastructure attacks.