Hello, welcome to the Friday, April 29, 2020 edition of the Sands and it's Storms

on a stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I had some time today, so I summarized some of the traffic that we have been seeing for our

SMB and RPC Windows Honeypot.

What we did here was that some of the honeypots that we have deployed around the internet,

we basically just redirected Port 445 traffic to this system.

This gives us only one system that we really have to maintain here,

and that's actually fully vulnerable to the RPC vulnerability that Microsoft patched a couple

weeks ago. And it does give us a pretty good cross-section. so we get basic data from a lot of IP addresses

by only having to maintain one individual vulnerable system. Well, first, what do we not see,

and that's an exploit for CVE 2022-26809, that's the RPC vulnerability that Microsoft patched in April.

Instead, we did see an awful lot of brute forcing, of course, and then also quite a bit of

eternal plume.

That vulnerability, going back to 2017 now is still quite popular and apparently there are still some vulnerable systems out there.

I would be surprised if they aren't already compromised, but well, maybe the attackers here

are hoping for new systems to come online or to be able to recompemise some already compromised

systems. When you're running a database on premise, then privilege escalation is a problem,

but usually not sort of at the top of the things that you worry about. However, things change if this database is running in the cloud,

and that's what happened to Azure.

Microsoft is offering an Azure database for Postgres flexible server,

and the WIS security team, I think I should call them,

the Azure security team,

...