Hello and welcome to the Tuesday, December 10th, 2024 edition of the Sansonet Storms and Stormass.

My name is Johannes Ulrich, and the time recording from Jacksonville, Florida.

Jesse today looked at some intrusions into his SSH honeypot that, well, executed a lot of commands. Most of the time

after the attacker connects to the Honeypot and is able to log in, they usually only execute

about a dozen or so different commands trying to install, for example, additional backdoors

or some kind of bot. These attacks were different. They had

a thousand more commands that were being executed. And as it turns out, they were just repetitive

curl commands. Now, these curl commands did not attempt to actually download anything.

Actually, any output was just directed to death null.

The apparent goal of these attacks was just to launch a denial of service attack.

Jesse does see a lot of targets here in the crypto space, so that could possibly be some

kind of extortion attempt or so against these

crypto sites.

From a defensive point of view, these attacks should be that terribly hard to defend against.

If you're behind something like Cloudflare or any kind of other anti-Didos provider,

they should be able to pretty easily filter these curl requests.

They're not attempting to spoof any headers or any kind of user agent or such.

So it should be pretty straightforward to filter them out.

But of course, if they do have access to many thousand vulnerable systems that could still just

sort of volumetric overload the target system. And for a change, we do have some vulnerabilities

in an open source router operating system, OpenWRT.

There are two vulnerabilities here.

...