Hello, welcome to the Tuesday, July 7, 2020 edition of the Sansanet Storms on a stormcast. My name's

Johannes Ulrich, and then I'm recording from Jacksonville, Florida. Yesterday I mentioned the

F5 Big IP vulnerability CVE 2020-509-022 and as I sort of alluded to in yesterday's podcast, yes,

exploits are out there and on Monday we really sort of saw a flood of different exploits

hitting our honeypots. So certainly this is now in full swing.

And if you have a system that hasn't been patched yet,

you certainly should assume it to be compromised.

Some of the more dangerous exploits that I've seen is,

first of all, sort of a backdoor that was added to Cron. It will essentially

just pull a URL and download whatever script it finds at that URL and execute it. There was also

an exploit that added an additional admin user to our honeypot. And lastly, we had an good old IRC bot that was actually written in

neat obfuscated pearl and essentially also represented a backdoor into the system.

Due to the number of exploits that we have seen, I'm planning on doing a special webcast

at 1 p.m. Eastern time on Tuesday, so join me there.

Probably will be a little bit shorter.

Half an hour or so we'll see what we'll do, but I'll do a detailed walkthrough to how

these exploits work and also show

some of the exploits if you collect it in our honeypot. And of course, we'll also go a little bit

over how to detect if you have been already exploited and how to figure out what the attacker

may have done to your system.

And I think it was back in January when Microsoft announced web content filtering as a beta

feature, sort of a public preview, they call it, for their advanced threat protection or ATP.

...