Hello and welcome to the Thursday, October 31st, 2024 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from New York, New York.

First, a quick look at our web honeypots.

One scan that kind of stuck out today was scans for RDWeb. This actually only

affected sort of a subset of our honeypots, but over the last few days, they got hit by a large

number of scans for URLs that start with slash RD Web, which is indicative of RDP

gateways.

Also interesting that a large number of different IP addresses participated in these scans,

we pretty much didn't see any of the IP addresses more than three times, which again indicates that this is a botnet

doing these scans. RDP, of course, has heavily been abused by ransomware gangs and others,

so definitely something to keep an eye on. Having an RDP gateway is not bad. It's actually

often a way to better control RDP, but your authentication, of course, has to be appropriate.

And yesterday I talked about the vulnerability in CyberPanel, apparently this vulnerability is now being exploited by the PSAUX ransomware.

This information comes from Leekix, that's a vulnerability search engine.

Leakex also did the initial scan that found the 20,000 or so vulnerable systems.

This is a tricky vulnerability given that it was essentially

patched the day the proof of concept exploit was released. Lots of little odd things happening here

also with Leakex kind of revealing the ransomware exploitation just as they publish a list of vulnerable systems.

So still not everything totally clear here.

I'm linking to an article by creeping computer that summarizes things pretty good.

Also has links to a statement from a cyber panel on how to properly patch.

Let me have yet another way how your NtLM hashes could leak this time it's Windows themes.

...