Hello, welcome to the Monday, July 29th, 2019 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Boston, Massachusetts.

On Friday, Kevin observed a significant uptick in scans for port 34567.

That's 34,567.

This port appears to be associated with network cameras,

and I look at a couple of the IPs that are scanning for this port.

It looks like they're also scanning

port 9527, 9,527, which is another IP webcam associated port. The second one actually has a

specific vulnerability associated with it, C 2017 11633 that vulnerability it's an

information leakage vulnerability and apparently it can be used to retrieve usernames and passwords

so in general this looks like sort of yet another variant of some botnet I'm going to call it Mirai because we don't have any code yet, but there are so many of these

Mirai notar variants going around looking for vulnerable cameras.

In this case, they appear to be looking for what I call secondary vulnerabilities, not the big ones like usernames and passwords and such, but maybe vulnerabilities that other bots missed.

Given how hard these cameras have been hit, there are probably only very few cameras left with default passwords, if any, that have not already been infected.

And if you are using Libra Office, the free and open source office suite, be aware with documents

and macros. Now, for Microsoft Office users, macros have long been recognized as evil, and users are by default as for permission before any macro is executed.

Now, Leaper Office, macros are a little bit different in a sense that they can be pre-installed with Leaper Office.

You can add your own macros to Leaper Office and then documents can use them.

But there are issues with some macros allowing arbitrary code execution, if not intentionally.

So, well, by mistake.

So for example, by default, Leipro Office ships with a simple macro,

...