Hello and welcome to the Thursday, January 11th, 2024 edition of the Santonet Storms anders Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, it's also a little bit sort of the post-patch Tuesday catch-up.

So we do have one diary here left to talk about, and these are scans

for Jenkins, in particular for the J-A's GI Security Check URL, which is typically used to

verify usernames and passwords, or essentially your login page.

Seeing a marked increase in scans for this particular URL, in particular from one IP address,

a Chinese IP address.

What makes it sort of interesting as far as attribution goes, usually shouldn't just go by

the IP address, but also part of the data being submitted. In particular, the submit

value is the Chinese word for login. So likely the request that's being used here and being

replayed was captured from a Chinese instance of Jenkins. The usernames and passwords being submitted are pretty trivial.

Actually, many of the passwords are just empty,

so I suggest that these attempts are really just more looking for vulnerable instances

and not so much actively trying to find working usernames and passwords.

And then Ivanti is in the news again this time for a change, not for its mobile device management software.

They have other buggy software to sell you.

In this case, it's what used to be known Pulse Secure and used to be known for some interesting

vulnerability back when it was called Pulse Secure. It's now called Ivanti Secure Access. And

today, Ivanti published details regarding two vulnerabilities after Waleck City discovered

these vulnerabilities being exploited in the wild.

There are two vulnerabilities that are being chained for complete compromise.

...