Hello and welcome to the Tuesday, November 26, 2024 edition of the Santonet Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

We got a little bit of catching up to do from the weekend regarding some of the diaries,

published two diaries published.

Two diaries by DDA, one about quick and dirty,

obfuscated JavaScript analysis by essentially just running the JavaScript.

This is, of course, dangerous and has to be done with care,

but often the fastest and simplest way to figure out what a particular

JavaScript is up to. Next, there is another diary by the day about decrypting PDFs with

user password, but in advantage of the password feature in QPDF.

And today, Jan published a diary looking at the disappearing open ports and servers in the Russian Internet.

According to Shodan, there has been a significant decrease in the number of exposed servers in Russia. Jan guesses that this may very well be linked to some filtering based on country of origin. First of all, some networks no longer

route Russian traffic, but also Russia itself is blocking in some parts, traffic from outside the

country.

Particularly interesting is a massive decrease in systems exposed on port 7547.

That's not an interesting port.

It has been used a lot in attacks.

It's associated with a protocol called TR69, and that protocol is used by ISPs

to manage customer premise equipment, like DSL modems. Given that there have definitely

been an increase in reported attacks against systems in Russia, in particular, for example, webcams and the like,

it's very likely that ISPs are now more motivated to block access to remote control

features like this that, again, have been heavily exploited in the past.

...