Hello and welcome to the Thursday, March 21st,

2004 edition of the Sansonet Stormers Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I dove a little bit into logs related to the recent 40 net 40 OS vulnerability CVE 2020 24 21762. This vulnerability

I talked a little bit about yesterday. We just sort of had an exploit released for it.

So I was wondering if you see any scans for it, this vulnerability is a little bit more tricky than

most of vulnerabilities that we usually sort of talk about. It's actually a good old-fashioned

buffer overflow, not one of these code injection or directory traversal vulnerabilities. So it does actually require a little bit preparation of the

system before the memory is kind of set up correctly for the exploit to work. The exploit

itself could be launched just against the index URL, so just looking for

URLs, which is what we usually do in our honeypots, is not really all that telling.

But the exploit that's out right now, and that's what an attacker is most likely going to use,

uses a specific URL, remote slash host check

underscore validate to do that memory preparation. And this particular URL is being used because it can

be used to send significant data to the system, which then helps in setting up the memory correctly.

Interestingly, we do see very little activity for this particular URL.

We saw some in January and in February,, they actually all came from two different IP addresses

that are related to each other. Not only are they in the same slash 24, they are also using

the exact same set of exploits in addition to this Fortnite 1.

They're using the same user agents and everything.

So highly likely that this is the same actor just using this particular URL.

This is also a decent URL if you're trying to fingerprint these devices.

...