Hello and welcome to the Wednesday, April 24, 2024 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Quick diary today about an uptick in scans for a struts to death mode problem. I call it a problem, not a vulnerability,

kind of on purpose, because it's really a feature that you should not see enabled on a public

exposed production website. Dev mode, as the name implies, is meant for development. It's

basically a debug mode, gives you

additional logs and also error messages being displayed to the screen, which is probably not that

great either. But most importantly, as far as we're concerned here, it also gives you a simple

web shell that you can use to execute OGNL expressions.

We have seen lately a couple days with pretty aggressive scans for this particular issue,

trying to figure out if code execution is possible.

So double-check your websites.

Again, this is Trutz II where this may be enabled,

and it's a configuration setting. Usually not a problem on a development website. That's not

accessible to the public internet, but definitely should not be enabled on a production website.

And researchers from Microsoft did publish details regarding an attack

that they are attributing to Fancy Bear or Force Blizzard,

as Microsoft calls them these days, essentially the Russian GRU.

And this attack uses a tool that they refer to as goose egg that takes advantage of a number

of older printer spooler vulnerabilities that Microsoft fixed in 2021 and 2022.

You may remember the term print nightmare. That's sort of what these

vulnerabilities were referred under. And well, apparently, some people still haven't

patched. In this case, probably nation state actors aren't the only one taking advantage

...