Hello and welcome to the Thursday, February 29th, 2004 edition of the Sandtonet Storms, Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today I looked at some of our Honeypot logs and noted a sudden increase in requests for the URL forgot user password.

Dot action.

This URL appears to be related to the Atlassian Confluence product.

At first, I thought, hey, maybe this is just someone trying to sort of exploit, badly implemented, forgot password feature.

But there seems to be more to it.

The URLs, the parameters being passed to it, look a little bit more like some kind of template injection or dieselization vulnerability. If anybody has any idea what the

exact CVE number that may be exploited here is, let me know. At this point,

will it appears to be just scanning for instances, not necessarily exploiting or launching a specific exploit, but we'll have to look

at it a little bit further to really see what's going on here. So any hints about any recently

patched vulnerabilities or so in forgot user password.com. Action are quite helpful.

And if you're running Confluence,

well, double check your logs

and see if it was abused using this particular URL.

And you probably noticed about a few high profile compromise

of healthcare businesses lately.

Now, we always had attacks against hospitals that has been sort of going on for a couple years now.

The latest bigot hack, and I may have mentioned it before in a podcast against change health care or optum,

did affect billing for a large number of pharmacies.

Well, the FBI now is paying attention to the news too, and SISA and the couple other agencies

have released a bulletin with some of the indicators of compromise and general techniques being used in

...