meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, May 16th, 2022

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 16 May 2022

⏱️ 6 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. BIG-IP Review; Sonicwall Patch; Zonealarm Priv Esc Vuln; Taking over npm account

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, May 16th, 2020 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and we're recording from Jacksonville, Florida.

0:14.8

Well, we got a couple good diaries for the weekend. Let's start with Friday. Friday I wrote up a quick review of all the different

0:24.1

exploits that we have seen over the last week for the big IP vulnerability CVE 2022-1388.

0:33.1

So it was just about a week earlier that we learned about the vulnerability.

0:38.6

Researchers were pretty quickly announcing that they found exploits for the vulnerability,

0:44.2

but took till Monday morning for actually an exploit to become public

0:49.2

and the actual exploitation of the vulnerability to start.

0:53.9

We saw a real fast ramp up in exploitation attempts, first starting with some simple

1:01.3

ID and Who Am I, checks to basically profile the system, then immediately followed by

1:08.3

back doors and web shells that were installed, including the couple

1:14.1

destructive tags that we noted earlier. Finally, on Thursday then, we did see how the Mirai

1:22.5

Botnet actually incorporated this particular exploit. We recovered it in a sample that hit one of our

1:32.3

undergradiate interns honeypots. So what this really means is that the vulnerability sort of has

1:38.5

run its course. At this point, you should expect that pretty much every war-able system has been exploited.

1:46.2

There hasn't been a lot sort of what I would consider targeted.

1:48.9

Like only very few exploit attempts, for example, took advantage of specific big IP commands.

1:57.2

For the most part, they just treated it like a Linux system, which of course it is and ran basic Linux exploits.

2:05.8

In some cases, just copying, for example, web shells into the appropriate directory.

2:11.8

Also pretty much no patching happening by the attackers, which of course then leads to a multiple exploitation of the same system.

2:21.3

If you do have a vulnerable exposed F5 big IP device in your network,

2:27.8

assume that it has been compromised multiple times by now.

2:32.3

Now another thing that we didn't see and probably wouldn't really see well in our honeypots

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.