Hello, welcome to the Monday, January 8, 2018 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Last week, Renato came across a pretty concerning incident that actually later turned out to be more than really what he initially saw.

What Renato originally saw was an affected Oracle WebLogic system that had a crypto miner running.

Okay, so at first nothing really all that big and scary, just yet another crypto miner.

But what it turned out later was that this is actually a very

recently publicized vulnerability in Oracle WebLogic and we found a few hundred additional

systems that were affected by this same event.

Now we came across a log actually that listed around 900 infected systems,

many of them running PeopleSoft. And the concern, of course, here is that companies typically

keep an awful lot of personal identifiable information in PeopleSoft. In this particular case, you may have been lucky because the goal,

as I said, of this particular attack was installing this crypto coin miner. We went ahead and we

tried to notify the victims here. Not sure how well this worked at this point yet, but we got feedback from a couple of the victims that, yes, they were looking into this.

If you are running WebLogic, if you are running PeopleSoft, please take a look at the diary and make sure you're not affected.

If you are affected by this crypto coin miner, well, maybe you're lucky and that's

the only thing that happened, but this is a very easy, exploitable vulnerability. So you definitely

do want to take a second look at the system and make sure it didn't get exploited by anything

else in addition to this crypto coin miner.

We're not going to make the full list of infected IP addresses public at this point, but

if you have any questions about this, let us know.

To identify systems, Val Renato is giving you some indicators of compromise here.

Also, we do have this new threat feed that

...