Hello, welcome to the Tuesday, December 3rd, 2019 edition of the Sandsenet Storm Center's Stormcast. My name's

Johannes Ulrich, and then I'm recording from San Francisco, California. In the last few weeks, we have spotted a

significant increase in scans on Port 26, and well well we're honestly just wondering what were

people looking for here. Nothing typically listening on Port 26 but of course sometimes

users get a bit crafty and run systems on different ports. When you're looking at

Shodan the top listener on Port 26 tends to be a mail server.

Exim is one that sort of stands out here.

And Exim had a number of well-documented vulnerabilities recently.

So our first guess was, well, people probably just run XM on Port 26 to avoid some of the

blocking that a lot of ISPs do on Port 25. And now someone figured this out and is starting to scan

for XM vulnerabilities. So we set up Honeypot to listen on Port 26, but so far we haven't really seen any XM attacks.

Instead, it looks like the only thing that attackers are really looking for on Port 26 is, well, yet more Telnet prud forcing.

So they're essentially looking for users that run Telnet on Port 26.

Not sure how successful this is, Shodan does not show a significant number of Telnet servers on Port 26,

but maybe someone discovered here something that Shodan missed.

On the other hand, it wouldn't be the first time that some attacker sort of has some

wild idea like this and is just sending a bot net after a port without really having any

success.

And on Monday, Pr Brad received an email with a malicious attachment, so well, he couldn't

help himself, but to take a closer look at it, it was one of those encrypted zip files.

The password for it was 777.

Well, and no big surprise, it included malicious vert document.

...