Hello, welcome to the Friday, August 31st, 2018 edition of the Sandinert Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from Sevalde, Germany.

Xavier today wrote up a diary summarizing some of his recent experiences threat hunting and he produced some nice

statistics really confirming what we have been seen for the last year or so and others have been

writing about as well crypto coin mining is probably the number one payload that you will see deployed via exploits.

What's important to keep in mind here is that these payloads are really sort of what's

used in more generic exploits, more widespread exploits.

These are not targeted attacks.

We do however see them being used very quickly after a new exploit is released.

Just to make the point here, the recent struts vulnerability was exploited very quickly within a couple of days to deploy crypto coin miners.

Whenever you see a crypto coin miner installed

on a system via an exploit like this, well, the exploit was really easy, so there is a good chance

that a more targeted attack fared out the same vulnerability and did something more sinister to your system.

So whenever you see that crypto coin miner, double check, take a quick look at the system.

This may not be the only thing that happened to the system.

But because crypto coin miners are rather easy to find, use them as a canary to really identify systems that have some blatant vulnerabilities left unpatched.

And as far as the current struts to warnably goes, that's CVE 2018 11776, which was patched on August 23rd so about a week ago

Welllexity for example is reporting about seeing active exploitation of this

vulnerability to deploy crypto coin miners as usual these crypto coin miners will also

try to delete competing miners.

Now, they can't patch struts too for you, so they really rely on trying to infect your system often enough

and kicking off competing miners.

...