Hello, welcome to the Thursday, July 12, 2018 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Remko today took a closer look at these Hello Peppa scans that we saw about a week ago.

He actually tuned his honeypot to return the correct

answer to these strings.

So what he saw was the second stage that's then being executed once this initial indicator

turns out to work.

Well, that second stage was then a remote code execution shell.

Now, the interesting part about this script is that they don't use an existing script, but instead

they rolled their own. They do authentication here. They do require a password parameter. Now in the script itself,

they only have a hash. They do an md5 of the password, then a shah of that, but they only

compare the last four digits of the resulting hash, which of course makes it pretty easy

to come up with a password that

works.

They are looking for vulnerabilities in a wide range of scripts, but among those URLs they're

testing, they're very heavy on PHP MySQL and various variations of URLs that you would typically use for

PHP MySQL. And then we have now more details about the Specter 1.1 and 1.2 vulnerabilities.

Now the existence of these vulnerabilities has been announced a while ago but no real details were announced until now.

One sort of surprise here was that this is not just allowing attackers to read data, but it's also going to allow attackers to write data across trust boundaries in the processor.

And it looks like Intel is accepting this new reality where we have continuous releases of these hardware flaws.

So Intel is now going to adopt a quarterly patch cycle for its microcode. In addition to these quarterly

updates, you may also still see some intermediate updates for very critical flaws that may be

...