Hello, welcome back to the Monday, November 28, 2022 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

So after this one week break, we do have a couple of diaries to go over. Of course, not all of our

handlers are US-based, so for some of them, there was no vacation. And they jumped in to

provide us with some interesting stories. Let's first of all start here with Renato's diary from, I believe, Monday.

Renato wrote about a recent log-for-shell attack.

Log-for-shell actually sort of kept us busy early December last year, and yes, it's still a topic.

US government recently sort of made an announcement that they're still seeing quite a few attacks for it.

The attack that Renato saw wasn't so far special in that it did use the NASHorn JavaScript scripting engine in order to then use JavaScript code to then set up a reverse shell.

Now, why NASHORN? Why JavaScript?

JavaScript, of course, is different from Java.

The log for J. Warnaby was a Java vulnerability.

But the NASHorn JavaScript engine is created by Oracle

included in the Java development kit. So that way, you know, you have it available. It

fits into Java and that's why attackers in this case likely used it.

For more details, including Code Snippet, well, see Renato's post, and of course, links will be in the show notes.

And one thing about phishing or a lot of malicious emails in general is that hackers try to create a sense of urgency. That usually is used to

get users to click on links without really sort of thinking through what they're actually doing

here. And in this case that Xavier covered, well, it started with the normal rules that your email account is going to get deleted

if you're not going to log in now to update it.

But what they actually did here to make this, I guess, more plausible or even more urgent,

is that once you click on the link, you're being directed to a standard fishing website

...