Hello and welcome to the Friday, October 25th, 2024 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Today I wrote about scans that we are seeing against development tools that are often left enabled on production websites. These are typically

plugins or additional features that you may enable to help developers debug code on the website.

As part of this feature set, they often leak critical information about the website, like

the configuration, credentials,

and in some cases do provide the ability to execute arbitrary code.

I'm just going in this post over some of the scans that we're seeing for these tools.

There are, of course, many more out there that I probably missed when I sort of was

scanning through the logs there. If there are any that I should have mentioned, let me know,

and I'll take a look how actively they are being exploited. But this is certainly something

that you want to proactively scan for. And while we don't have any 40 net vulnerabilities today to talk about, instead, we have

one from Cisco, less severe than what we have sort of seen lately, but it's already being

exploited.

It's a denial of service vulnerability in the ASA and Firepower VPN Appline.

So only if you have the remote access VPN service enabled, you are vulnerable, and it's a

pretty straightforward denial of service vulnerability that's being triggered by brute force

login attempts.

One thing to point out from the Cisco advisory regarding these attacks is that they observed

predominantly originating from Tor exit nodes and other anonymizing tunnels and proxies.

So there may be a block list approach here that can help you a little bit mitigate these attacks.

Another Cisco Warnaby that was addressed that has a pretty high CFSS score of 9.9,

...