Hello, welcome to the Tuesday, May 10th, 2020 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Let's start a day with a diary by Xavier about a new incarnation of the octopus Backdoor that he found. Now, in this case, it's delivered

again as a Word document. The Word document itself appears to include PDFs as embedded

documents, but it's actually not PDFs. It just uses the PDF extension and logo.

It's actually a good old batch file. It is then executed by clicking on it, and Xavier does a good

job going through the obfuscation and how to sort of decode it. Well, in the end, you end up with the octopus backdoor.

It luckily still connects to a well-known host name,

HPSJ.firewall dash gateway.net.

And as an add-on, if you run into code like this, Renato actually created a little Python script

that allows you to automate the decode process for this particular type of obfuscation.

And well, then, a little bit as expected, we do have now a public exploit for CVE 2022-1388, the F5 Big IP vulnerability that was patched late last week.

And this exploit is now heavily used in order to target vulnerable systems. So far we see a lot of reconnaissance,

some backdoors, web shells is what we have seen in, even two instances of a destructive

attempt that essentially just attempts to run RM-RF slash on affected systems.

Now, with the exploit being released, we now also know a little bit more about the vulnerability.

It's kind of actually an interesting vulnerability.

The root cause is something called hop by hop headers in HTTP. In HTTP, if you add

the name of a header to the connection header, in this case, that's the XF5 auth token header that's

being added, then a proxy will not modify this particular header.

It will just pass on its content.

And while the XF5-Oth token header is, as the name kind of implies, usually used for authentication.

So by preventing the proxy,

...