Hello, welcome to the Friday, March 9th, 2018 edition of the Sansonet Stormers Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Remember a few weeks ago we had a crypto coin miner that installed itself on a number of

PeopleSoft servers and the like using an Oracle WebLogic vulnerability.

Well, it looks like this particular group is back, but this time they turn their attention

to Apache Solar.

Apache Solar is, well, what is a database that is often used for full-text searches?

You find it used, for example, for website search and the like.

And as such, a lot of sites may be using Apache Solar without explicitly being aware of it.

And just avoid confusion whenever I mention Apache, this is not the Apache Web Server.

The Apache project has many other software projects that they're covering under their umbrella,

and solar is not something that typically comes with the Apache web server.

The root cause here is actually an XML external entity vulnerability.

These vulnerabilities are quite common when you're parsing XML and you're not being careful

in how you're validating your XML or how you're configuring your parser.

In this particular case, this vulnerability can lead to arbitrary code execution, and that's

exactly what's being exploited here. The vulnerability became known back in October last year. Only a couple days after

the vulnerability was announced and patched, an exploit was released. And just likes of the

Weblogic vulnerability, the exploit is actually relatively simple, reliable and easy to use in various scripts,

which of course helps our attackers here installing the exact same Monero Miner that we have seen

with WebLogic.

Just like with the WebLogic vulnerability, Renato took the lead on this and he actually

...