Hello and welcome to the Monday, November 27, 2020,

edition of the Sandin and Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

So back after the Thanksgiving week that I took off and, well, was lucky here.

No major event during this week.

A little bit sort of some of your usual stuff that we need to kind of talk about today.

So a little bit catching up here.

Also, just want to mention that Thanksgiving is always sort of the anniversary of DeShield.org, the data collection

engine behind the Internet Storm Center, which was originally released Thanksgiving weekend

of 2000, so about 23 years old now.

And then we got a couple new exploits that are being integrated into the

Mirai and similar botnets. Mirai, of course, originally just used the weak passwords,

but over the year sort of has added a number of web application vulnerability. One of them, CBE 2023, 1389, is a vulnerability that

one of our undergraduate students, Yona Latmar, looked a little bit closer into, and

well, this vulnerability was originally discovered and made public in March.

Then later in April, we saw some first hits against our honeypots.

But starting September, it really sort of has taken off since it then has been incorporated into some of these botnets, which of course made the vulnerability much more noisy at this point.

The vulnerability is a relatively easy to exploit, command injection vulnerability does not require any authentication.

You need to expose the admin interface for the router to be vulnerable and apparently the TP Arger

AX21 and AX-800 firmware is vulnerable to this. Wouldn't be surprised if other devices are

vulnerable as well. And Akamai also wrote a blog post about some new war on abilities. They're seeing

exploited by Mirai variants. They're calling it infected slurs. Now, this appears to be in part

...