Hello, welcome to the Tuesday, December 14th, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Let's start by hopefully somewhat wrapping up a log for Jay.

We had our live stream at noon today here Monday Eastern time. And as Mick put it during

the live stream, well, this is becoming a marathon. The initial sort of adrenaline kind of fades off.

And pretty much everybody should have been sort of hit by some form of the exploit at this point.

We do see a relatively quick sort of evolution of the exploits becoming a little bit more obfuscated.

Also, instead of these pretty much widely sort of sprayed user agents and URLs, we now have attackers trying to adapt their exploits a little bit for specific software

packages.

Plenty of vendor advisories out there listing whether or not particular software is

affected, how to mitigate the vulnerability if it is affected,

and patches are certainly being released relatively quickly for most software.

The one to sort of point out is VMware's V-center.

That one is already being exploited in sort of a more targeted fashion. We also have seen crypto coin miners being used quite a bit as a follow-on payload,

and Renato wrote up one particular case that he was able to observe that installed a crypto coin miner.

Also, we are seeing how several botnets and such, things like

Mirai and similar botnets are taking advantage of this vulnerability. Also keep in mind that

at this point, if you're finding a vulnerable system, in particular if it's vulnerable to sort of one

of the standard exploits, you should assume that the system is already

compromised, so it's not a simple matter of just patching and move on, but also look for

some of the indicators of compromise to make sure the system that you're patching hasn't

already been backdoored.

...