Hello and welcome to the Thursday, February 8th,

2004 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, I have a little bit of mystery today that I hope some listener will be able to help with,

and that's a URL that showed up in our first

seen URL list. That's the list where all URLs show up that have been seen for the first

time in our honeypots, at least in some quantity. This particular list, URL is slash V5 slash

device slash heartbeat.

And the only thing I sort of could find about this particular URL is that it's very likely associated with Balena.

I think that's how you pronounce it.

This is a platform to manage IoT devices.

And the API contains requests like that.

So it may be related to it.

There is no obvious big vulnerability in this particular system that sort of was disclosed lately.

But these requests look, and I think someone on Twitter also out like someone is trying to enumerate any systems running Balena.

There are a couple of vulnerabilities on LinkedIn.

For example, someone pointed to a PNG vulnerability that affected versions of Belina because they include an older Node.js.

This PNG vulnerability does not appear to be exploitable in this particular system.

So unlikely it's this vulnerability, but I think it sort of is pointing to the right direction.

Like many modern applications, this

application is including lots and lots of libraries and components, so it's very much

possible that some component that is vulnerable could be exploited in this particular API.

...