Hello and welcome to the Monday, December 16, 2024 edition of the Sans and a Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Washington, D.C.

Let's start with a quick update on the Struts 2 vulnerability that I mentioned on Friday. This vulnerability now appears to be

exploited. The exploit itself may be a little bit more inspired by it because they're like

these two very similar vulnerabilities. So not 100% clear what's being exploited and if the exploit

as executed here would work on a

vulnerable system I don't have a vulnerable system to test with so far we are

seeing one IP address scanning for the vulnerability it first attempts to

upload a file called exploit.jSP to the system. This file includes a quick one-liner

that just prints back confirmation. The attacker will then try to access that file to check

whether or not the system is confirmed as vulnerable. So this is now definitely a must-patch vulnerability.

The problem, again, is if you're actually using the upload feature,

so if your system is vulnerable,

you must rewrite the upload feature

because the fix is not backwards compatible.

And Citrix published a document in response to a recent increase in password spraying. It hacks against Citrix NetScaler installs.

Password spraying, of course, big issue for lots of appliances.

Cisco had issues with that earlier this year.

One interesting issue here that's noted by the advisory is that it's not just about attackers

eventually getting access to the devices, but that these passport spraying attacks are

aggressive enough, where they will also cause a denial of service and also overload the lock processing pipeline.

In response, Citrix of course recommends multi-factor authentication should pretty much be the default now for appliances like this and then recommends,

...