Hello, welcome to the Tuesday, August 1st, 2003 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

And we got a second already exploited, so zero-day vulnerability from Avanti targeting its endpoint manager mobile core.

Remember, Avanti just patched the unauthenticated API Access vulnerability CVE 202033-35-078.

This new vulnerability, CVE 202033-3535081, was apparently used in conjunction with this authentication bypass vulnerability.

After the attacker did have access to the system as an administrator, this second vulnerability was then used to execute arbitrary shell commands and also

write arbitrary files to the system. Great way of course to get additional persistence on the system

and something that you need to be aware of if you are performing instant response on a compromised amount the endpoint manager mobile.

Patches are available, but the real impact here is for instant response.

And then you have new malware that appears to be targeting Redis data stores. Redis, sometimes

also called a NoSQL database, has an interesting replication feature.

And the way this is exploited here is that the attacker essentially sets up a Redis Datastore

and then uses the slave off command on the vulnerable server in order to make it replicate the content from the malicious

server. This, of course, already kind of requires a bad configuration here, where you are

exposing your Redis store and allow commands like this to be run in your Redis instance.

But once, of course, you're compromised like this to be run in your Redis instance, but once, of course, you're compromised

like this, then the attacker can do whatever they want, as in this case upload additional modules

to, for example, include a crypto coin miner or features like reverse shells.

Also interesting here, the particular malware is not just written in Rust,

but also comes as an elf and a PE binary,

so it should run on Linux as well as on Windows,

...