Hello, welcome to the Friday, May 1st, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, we actually got two interesting diaries today to talk about one by Xavier about how to harvest your IMAP inbox for indicators of compromise.

Use case here is, for example, if you are subscribing to a number of security mailing list,

you may have lots of emails that, for example, have lists of IP addresses or domain names.

Similar, if you direct all of your spam to an inbox

like this, then any URLs, for example, that are mentioned in spam could be used as indicators

of compromise or, for example, in block lists. All it takes is a Docker image that Xavier came up with and he published

the Docker file as part of his diary that will help you set up a Docker image that will

grab the email via IMAP, parse it, extract any in the case of compromise, but also include things like the from and the

subject, and create a JSON file that then can readily, for example, be imported into Elastic

Search. Pretty neat, a little setup, so probably some of you may find this helpful.

And Jim noticed that about a week ago we had a sudden jump-in reports for attacks against Port 9,673.

Of course, this is not necessarily a port that sort of rings a bell.

Well, some searches did lead Jim to a psych cell Saturday of vulnerability that was published

last month, and it looks like the bad guys are fully starting to exploit it now.

The vulnerability is a pretty straightforward command injection vulnerability via the accept language header, so you'll

find a simple shell script there that will then typically download additional malware

and execute it.

Radware did identify this as the hoax calls denial of service botnet, probably also others that are being distributed via this

method.

The botnet doing the scanning doesn't really look that super large.

...