Hello, welcome to the Tuesday, November 5th, 2019 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

I want to start out with a couple of observations about the mass exploitation of the Blue Keep vulnerability.

I don't have a link for this, at least not yet,

but it's just some internal discussions we had here. First of all, it does appear to be quite

efficient. We have seen some numbers that pretty much all machines that were exposed got taken

over by this crypto miner.

Another little note here is also that once these systems are infected and are running the

crypto miner, you may get some false negatives from vulnerability scanners.

One of our handlers observed in his environment that all for a sudden all of the machines

that he had still registered as Blue Keep vulnerable appear to be patched.

What was actually happened was that they had been infected by this crypto coin miner,

and now his scan timed out and came back as a negative. So make

sure that whatever scanning tool you use does wait long enough for the replies to come back.

Otherwise, once the system is infected with this crypto coin miner, it may actually show up as

patched.

The bot itself doesn't patch the system, also doesn't block RDP access.

It just keeps the machine busy, so your response times from RDP are slow.

And then we got a vulnerability in ClamBC, the bytecode compiler for the Clam AV open source antivirus engine.

Now, typically vulnerabilities in antivirus engines aren't really all that uncommon, sadly, and certainly an important problem.

But in this case, it's probably less often an issue.

The more severe class of vulnerabilities in antivirus engines is triggered when the engine

...