Hello, welcome to the Friday, October 8, 2021 edition of the Sansonet Storm Center's StormCast. My name is Johannes Ulrich, and that I'm recording from Jacksonville, Florida.

Today, I took a quick look at a botnet that has been harassing our honeypots. It's going after a stalker portal. Now, stalker portal, pretty

sort of ominous name, but what it really is, it's software made by a company called Ministra

that's typically running on top of IP TV boxes.

About two years ago, there were a number of vulnerabilities that had been discovered

in this particular software.

Looks like they're not so much going after the warnability.

They're downloading a file that indicates the version, but then they're also going after some

of the streaming APIs, which makes me believe that they're probably looking for free TV

access.

While this may be a bit less benign than, for example, running arbitrary code in the systems

or actually turning these devices into

some kind of actual stalking or spy device, it could still, of course, impact the service

for the legitimate user of these devices. A standard NAT firewall should block these requests. Sort of interesting that

they're looking at the wide range of ports here. So maybe they're looking if users may have

exposed those devices on an off port in order to, for example, watch TV via some kind of streaming application or so while they're away from home.

And by all means, if you know more about this particular attack, this type of scan, please let me know.

I don't have one of these devices here to play with and actually experiment how they exactly work. And if you saw my write-up about the Apache vulnerability, you probably saw that they did in

version 2449 significantly modify the validation of URLs.

They essentially ripped out a good part of that code and replaced it.

Well, we had the directory traversal vulnerability in 2449 that was then fixed in 2450. Sadly,

this fix was not sufficient and now we do have 24.451. Apache gave this new vulnerability, a new CVE

...