Hello, welcome to the Friday, May 4th, 2018 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and I am recording from Jacksonville, Florida.

Renato took another look at his Weblogic Honeypot. No surprise, he's finding plenty of exploits taking advantage of the most recent WebLogic vulnerability.

Remember, this is the one that's not perfectly patched yet.

We have also seen over the last couple weeks pronounced Spike in Scans for Port 7,001,

which is the port typically used by WebLogic. As far as payloads go,

Renato found yet another crypto miner, but in addition, it also installed a scanning component

that will look for additional vulnerable systems. We have not seen that much of it in the past.

Usually they just installed a miner, don't install

the scanner, probably getting a little bit more aggressive in trying to find hosts that got

missed by all the other scans for this Weblogic vulnerability. On average, only takes a couple

hours these days for a vulnerable host running web logic

to be exploited.

Another sort of shift that we have seen and that's also here something that Renato observed

using his honeypot was that more and more of these attacks are not targeting Windows hosts,

probably because all the Unix hosts have already been

exploited. WebLogic can run on Windows or Unix either is vulnerable, so instead of a

Bash script you'll see a PowerShell script used if the attack is targeting Windows.

And the Sand Security Awareness Project did publish its monthly Oach newsletter on Thursday.

This time it's all about GDPR.

GDPR will go into effect later this month.

If you haven't heard about it yet, it's probably too late to learn about

...