SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS Stormcast Thursday, April 23rd, 2026: Stealing Telegram Sessions; Oracle CPU; Firefox Patches

8 min

•Apr 23, 20265 days ago

Summary

This episode covers three critical security threats: attackers stealing Telegram session data from compromised systems, the compromise of Checkmarks' Docker images and VS Code extensions, and Oracle's quarterly patch release addressing 481 vulnerabilities. Mozilla also released Firefox 150 with 271 vulnerability fixes using AI-assisted scanning.

Insights

Telegram session data (tdata files) are as valuable as usernames and passwords, bypassing two-factor authentication entirely—organizations should monitor for unauthorized access to these files
Supply chain attacks on security tools themselves (Docker images, VS Code extensions) create cascading risks that can compromise downstream users and their customers
AI-assisted vulnerability scanning (Mozilla's use of Anthropic's model) is dramatically increasing vulnerability discovery rates, suggesting the industry may be entering a new era of proactive security
Weak Linux passwords remain a persistent attack vector, with attackers using honeypots to test for crypto miners and then pivoting to steal valuable session credentials
Organizations using Checkmarks or Oracle products need immediate verification of downloaded artifacts, as the full scope and timeline of compromises remain unclear

Trends

Session hijacking and credential theft targeting messaging platforms as high-value attack objectivesCompromises of security and development tools creating supply chain vulnerabilitiesAI-powered vulnerability discovery accelerating the pace of security patch releasesAttackers targeting weak authentication on Linux systems as entry points for lateral movementIncreased monitoring requirements for endpoint protection to detect suspicious session activityGrowing criminal preference for Telegram due to automation capabilities and global infrastructureOracle's consistently high vulnerability counts across diverse product portfolioBrowser update frequency and patching becoming critical security hygiene practices

Topics

Telegram session data theft and hijacking Checkmarks Docker image compromise Visual Studio Code extension security Supply chain attacks on development tools Oracle quarterly security patches MySQL vulnerability management Firefox 150 vulnerability fixes AI-assisted vulnerability scanning Anthropic Mythos model for security Linux weak password exploitation Cryptocurrency miner malware Endpoint protection monitoring Two-factor authentication bypass Browser security hygiene Docker Hub security risks

Companies

Attackers targeting Telegram session data (tdata files) to hijack accounts and bypass 2FA; platform valued by crimina...

Checkmarks

Docker images and Visual Studio Code extensions compromised; malicious images rolled back from Docker Hub after disco...

Docker

Docker Hub hosted compromised Checkmarks images; platform used for distributing official container images

Oracle

Released quarterly patch update addressing 481 vulnerabilities across dozens of applications; includes MySQL critical...

MySQL

Part of Oracle portfolio; affected by critical vulnerabilities in Oracle's quarterly patch update

Mozilla

Released Firefox 150 addressing 271 vulnerabilities using Anthropic's Mythos AI model for vulnerability scanning

Anthropic

Mythos model used by Mozilla to scan Firefox for vulnerabilities, resulting in 271 fixes in single release

Socket

Research team that discovered and published analysis of Checkmarks compromise on Docker Hub and VS Code extensions

Microsoft

Visual Studio Code extensions published by Checkmarks were compromised alongside Docker images

People

Johannes Ulrich

Host of Stormcast episode, recording from Amsterdam, Netherlands

Al Carty

Author of diary entry about honeypot compromise and Telegram session data theft discovery

Quotes

"the content of the tdata file are essentially session ids that are being used to authenticate the client to telegram's system this session data could then easily be copied to another system and used to authenticate as the user so it's essentially as valuable as the username and password"

Johannes Ulrich•Early in episode

"Telegram remains to be a highly valued platform by criminals in part because of its easy automation and of course of its worldwide infrastructure that is relatively easy to use"

Johannes Ulrich•Mid-episode

"The title of the blog where they're introducing and talking about this is called the zero days are numbered just because they feel that this gives them a significant head start over attackers looking for vulnerabilities"

Johannes Ulrich•Firefox discussion

"this is likely going to then lead to additional compromises down the road"

Johannes Ulrich•Checkmarks compromise discussion

"Restart them once a day in order to make sure that the latest updates are applied at least once a week. Double check whether or not you are actually running the latest version of your favorite browser"

Johannes Ulrich•Closing recommendations

Full Transcript

Hello and welcome to the Thursday, April 23rd, 2026 edition of the SANS United Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Amsterdam, Netherlands. And this episode is brought to you by the SANS.edu graduate certificate program in penetration testing and ethical hacking. Today we got another diary by one of our undercredit sans.edu interns. Al Carty writes about how their honeypot got compromised. Initially it looked like well your run-of-the-mill compromise. It did sort of check for crypto miners, tried to kill them which is very typical for sort of these mining scripts that take over Linux systems with weak passwords but then things kind of changed the script then went and looked for the tdata file in the desktop telegram folder this is a typical location on a linux system where telegram the messenger keeps their session data so the content of the tdata file are essentially session ids that are being used to authenticate the client to telegram's system this session data could then easily be copied to another system and used to authenticate as the user so it's essentially as valuable as the username and password for a particular account even worse if the user had set up to factor authentication doesn't actually matter if the attacker gets a hold of this session data telegram remains to be a highly valued platform by criminals in part because of its easy automation and of course of its worldwide infrastructure that is relatively easy to use and widely used which of course makes it more difficult for organizations to block access to Telegram Still something that you probably should monitor and definitely look for access to the Tdata file if you have some endpoint protection that can monitor this For Telegram users, also, it's important to keep an eye out for any odd sessions that you see established to Telegram. Telegram in its security settings allows you to monitor which sessions are currently authenticated. So you could look for some devices that you don't recognize. And then, of course, log out of systems if you no longer use Telegram on a particular system in order to invalidate the session data should it get stolen later. And then we got some breaking news from the Socket research team about yet another security scanner being compromised. This time it's Checkmarks' turn. The Checkmarks Kix scanner was compromised, at least the Docker images that were offered as official Checkmarks Docker images in Docker Hub. In addition to that, apparently also some Visual Studio Code extensions published by Checkmarks were compromised as well. At this point, it's still a kind of underdevelopment here really what exactly happened. The first draft or the first version of the Socket blog post was just published about two hours ago as I'm recording this. And they state that they will make updates to this blog post as more details become apparent. But it looks like we are having years of the typical credentials dealer that we have seen in prior attacks like this. So definitely something to be very careful about. If you using checkmark kicks and you did download images from Docker Hub today you definitely want to double check and make sure that you didn download any of the compromised images Same is also true of course for any Visual Studio Code extensions So this particular attack there no statement from check marks that I have seen yet But again, we're fairly early on here. They're probably, hopefully, I would say, still working to figuring out exactly what happened before they make any statements here. At this point, also, the malicious Docker images were rolled back. So currently, they're not available anymore on Docker Hub. But then again, not really clear yet how long these images were available. So double check if you're using any of checkmarks code. And like we had with the previous scanner event and such, this is likely going to then lead to additional compromises down the road. and oracle today published its quarterly patch update this particular update fixes 481 different vulnerabilities which isn't that unusually high of a number for oracle remember this again across these dozens and dozens of applications that oracle distributes nothing has sort of stood doubt in this particular update there are a number of vulnerabilities that do allow unauthenticated remote exploitation not necessarily code execution but many of these vulnerabilities are labeled with cv test scores in the nine dot range didn't see a perfect 10 when i skimmed the list but as usual with oracle for all the details you must log in to an oracle customer account anyway to really figure out what these wannabes are all about and then of course figure out what of these applications actually apply to you one of the critical wannabes also affects my sequel which of course is part of oracle portfolio but well you may be running it without actually being sort of an official oracle customer and talking about patching a lot of vulnerabilities mozilla released firefox 150 and this version addresses 271 vulnerabilities typically well a new release like Firefox usually fixes around a dozen or less vulnerabilities. This increase in vulnerabilities being addressed in this particular release is linked to Mozilla using the Anthropic Mythos model in order to scan Firefox for vulnerabilities. They're seeing this as a big win, and I think they have a good point here. The title of the blog where they're introducing and talking about this is called the zero days are numbered just because they feel that this gives them a significant head start over attackers looking for vulnerabilities as well we'll see where this all ends up i guess in a couple months we'll see how many more vulnerabilities will be found after these 271 vulnerabilities have been fixed hopefully well we'll see a significant decline in number of vulnerabilities being found and exploited. As usual, keep your browsers up to date. Restart them once a day in order to make sure that the latest updates are applied at least once a week. Double check whether or not you are actually running the latest version of your favorite browser. Well, and this is it for today. So thanks for liking. Thanks for subscribing. And as always, if you have any feedback, if you think I should have covered a story that I missed or should have spent less time on a particular story, please let me know. Thanks and talk to you again tomorrow. Bye.