Hello and welcome to the Friday, July 7, 2023 edition of the Sands and its Stormsenders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jesse today wrote an interesting diary comparing the logs from different IDSs.

These IDSs were placed in front of Jesse's D-Shield Honeypot

and interesting to see what attacks are being seen, are not being seen, and most of all,

how they're being categorized. Some of the IDS, and he compared here mostly Palo Alto and Suricata gave you more detail as to what the potential attack could be versus others.

Jesse also used full PCAP logs in order to make an ultimate than manual decision for some of these attacks to see essentially which

IDS is better for more details.

Well, see Jesse's diary.

Sort of interesting at the top two attack groups, actually, for Suricata are, well, our

D-Shield block list which probably is

researchers they often show up in our block list then of course things like as H scans a little bit

surprised terminal server scans show up at number four or number two if you remove the two D-Shield block listed issues that are being listed here.

And Sisa is warning that the latest version of the TrueBot malware is taking advantage of a vulnerability in NetRicks auditor.

This vulnerability is not new. It has been patched for about a year now. June 6th, 2022 is when the patch was released.

Bishop Fox has a good write-up on the particular vulnerability. It's a deserilization issue. So exploitation is a relatively straightforward. It does listen on TCP port 9,004.

So do a quick scan of your network,

see if anything is listening on port 9,004.

Not sure how popular this particular application is, but apparently popular enough for

throughput to sort of deviate from its normal pattern. It's usually just going for phishing emails.

Well, and now they're actually actively scanning for a network's auditor.

And then we've got an interesting Linux privilege escalation vulnerability.

...