Hello, welcome to the Friday, October 30th, 2020 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

So yesterday I mentioned that we did see first exploit attempts against our weblogic honeypots using CVE 202014882.

This is a vulnerability that was patched about a month ago as part of Oracle's quarterly

critical patch update.

The only activity that we have observed so far is just testing the vulnerability,

but it is actually trying to exploit it, for example, triggering DNS lookup and not installing

any code or running any malicious commands other than whatever is required to trigger

the DNS lookup. What is however interesting also is that around noon today, the exploit

activity has ceased, at least against our honeypots. We identified about three or four different entity, it seemed like,

based on the exploits being used. Now, they all used the same basic exploits, but everybody said

they had their own little trick how they probed for vulnerable systems. So we can only assume

that by now they're done scanning the internet and

well, maybe they'll come back and launch actual exploits against systems that they found to be

vulnerable. What's a little bit odd is that the exploit activity really has sort of completely

stopped over the last few hours. Typically with something

that's so easy to exploit, we tend to have plenty of script kitties that go after these systems.

Maybe it'll take them a couple more days to get this exploit integrated into whatever kit

they're using. But well, the advice remains patch.

Patch as fast as you can if you are running WebLogic.

We tested these exploits against our own WebLogic setups,

...