Hello, welcome to the Monday, January 30th, 2017 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

It looks like there is yet another attack vector for internet-connected DVRs and cameras.

Last week we observed an increase in scans for port 5358. This port appears to be associated with

the web service on devices API, something used by some of the same devices that we have seen

being attacked by Mirai and similar bots in the past.

If anybody has some packets with payloads, then please send them in.

I tried a little Netcat listener, didn't really get anything with that,

so it may expect a certain response, still trying to simulate that a little bit

better. And if you are running open as H, an older vulnerability originally fixed in 2015 has sort of

come back with a new exploit. CVE 2015-65-65 was originally reported as a denial of service

and a possible privilege escalation vulnerability. The possible privilege escalation

vulnerability is now confirmed with the release of a rather straightforward exploit.

This is yet another case where a file, in this case, the TTI terminal,

is writable by other users and then code is executed by root.

The vulnerability only effects OpenSH 6.8 and 6.9 and as I said, has been

patched a while ago. Let me have a couple cases where ransomware is sort of cutting over

into the Internet of Things realm. Now, the first one isn't classic Internet of Things. It did

affect traffic cameras and apparently mid-January.

Just a week before the inauguration, Washington DC had to shut down a large percentage of

its traffic cameras because PCs that you were used to control these cameras were infected

by ransomware. So in this case it was

...