Hello, welcome to the Monday, September 9th, 2019 edition of the Sands and the Stormsendors

Stormcast. My name is Johannes Ulrich.

I'm recording from Sevalde, Germany.

Last week, Guy observed a new kind of scan in his honeypots that appears to originate from the Mirite botnets or some of its successors

and well again targeting DVRs but this time it looks like it's more going sort of for

web application vulnerabilities. In particular it's looking for the Mount Custom Product Definition File, not

absent what it's kind of looking for, but if you have any more details, please let us know.

There are a couple of sort of tweets about some activity from Craynois and others. But well, what I reported

before, Mirai sort of keeps on changing, keeps on expanding the overall arsenal of vulnerabilities

it's scanning for. And yes, what we all were waiting for somewhat has happened and we now have

a bluekeep exploit module in Metasploid. Of course, this did very much lower the threshold

of attackers targeting your systems with this exploit.

You had plenty of times now to apply patches and for sure that exploits have been developed

and have been available in commercial products for quite a while now.

Now this exploit isn't quite as straightforward as some other

mid-asploid modules by default. It will just tell you if a system is vulnerable or

not. You have to apply additional configurations based on the operating

system you are targeting. It currently works with the 64-bit versions of Windows 7 and

Windows 2008 R2, according to a blog post released by Rapid 7. Now, one word of caution, if you're

using this exploit module in internal penetration tests, there is a good chance

that you will actually trigger a blue screen if you are not running this module correctly,

or if your exploit is interrupted, for example, by network issues.

...