Hello and welcome to the Tuesday, December 5, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Spend some time today following up on an observation that I wrote up last week about a pro-Russian hacktivist group going after

SharePoint vulnerabilities. I looked at a particular IP address that was used in these scans

and well, they have changed their targets. They're now looking for a number of other

vulnerabilities, like for example leaked environment files and other, well, essentially, credential files that may accidentally leak also exposed admin APIs.

So wrote up a little bit more about this.

A couple vulnerabilities that sort of stuck out that they're looking for.

One looked like a directory traversal vulnerability in a captive portal that's often

installed with OpenWRT, the open source router software.

Name of the portal is No Dog Splash.

Haven't seen this particular vulnerability documented.

Doesn't mean that it's real and just some zero day or so could be just some attempt to exploit things that don't really work. There's also some checks for like Cold Fusion admin URLs.

And another one that sort of stuck out was scans for an artifacts file in ML flow.

ML flow describes itself as a unified platform to navigate the maze of model development, deployment, and management for machine learning.

So certainly interesting piece of software being exploited here.

Also identified a couple other IP addresses that are likely associated with that activity

because the URLs that are being scanned by this particular host and then also

the other host that I saw are reasonably unique. There are not a lot of hosts really scanning

for these specific vulnerabilities, which again could mean that, well, these exploits actually

don't really work all that well. There are also some interesting geolocation challenges here that I outlined.

...