Hello and welcome to the Tuesday, June 13th, 2020,

edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Last week I talked about attacks against a duo server.

We saw some scans in our web honeypots last week, and I promised

I'll look into that a little bit deeper. Well, got around to setting up our usual honeypot

that actually implements the full geo server. It's a Docker container in that case.

That's out of how we set it up.

And, well, a big surprise.

It was the same group that is also going after these NIFI servers.

Very similar software and issue here in some ways.

With NIFI, we had a Java application that does allow as part of its normal functionality

that a user can execute arbitrary code.

Similar here with GeoServer, again, it's written in Java and has functionality to then execute

code.

GeoServer is meant to essentially manage map data.

It's an open source project. And just like NIFI, if you just sort of install the basic software,

again, I did it with a Docker container, then you have no authentication pre-configured.

There's one advantage from a defensive point of view running it in the Docker container. I used the default geoserver container, a little bit an older version to see if maybe they

were going after some vulnerability or such.

But by running in a Docker container,

there's not a lot of software that the attacker can actually here use things like curl, for example, don't exist inside a Docker container,

...