SANS Stormcast Monday, January 5th, 2026: MongoBleed/React2Shell Recap; Crypto Scams; DNS Stats; Old Fortinet Vulns

The episode opens with a quick status check on two persistent threats. React2Shell, a shell‑dropping payload that rides botnet traffic, is still surfacing in recent intrusion reports, reminding operators that any unpatched endpoint can become a launchpad. The discussion then shifts to MongoBleed, the critical MongoDB remote‑code‑execution flaw. Listeners are urged to apply the latest MongoDB patches and, more importantly, to remove direct internet exposure of database ports. These steps dramatically reduce the attack surface and prevent the kind of mass exploitation that dominated headlines last year.

Next, the hosts dissect a classic cryptocurrency advance‑fee scam that masquerades as a mining payout of over one bitcoin. The lure exploits greed and a lack of verification, prompting victims to wire withdrawal fees that disappear instantly. Switching gears, the team demonstrates how TShark can generate granular DNS statistics, comparing four public resolvers that showed virtually identical latency. An unexpected finding was the NTP server’s reverse‑lookup queries, which consistently lagged and inflated overall DNS response times. Disabling those lookups yielded measurable performance gains, highlighting TShark’s value for both security and operations teams.

Finally, the show revisits an older Fortinet (formerly 40NET) firewall flaw, CVE‑2020‑12812, which remains unpatched on roughly ten percent of surveyed devices. The persistence of a five‑year‑old vulnerability underscores the chronic problem of delayed firmware updates in network appliances. The hosts recommend a monthly firmware‑check calendar and physical end‑of‑life stickers on equipment to enforce timely replacements. By demanding clear vendor support timelines before purchase, organizations can avoid lingering exposure and maintain a healthier security posture across small‑business and home networks.