Hello, welcome to the Wednesday, December 8, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

What up a quick diary this morning that's sort of a little bit based around a new feature we're actually playing with,

and that feature is displaying newly hit URLs from our web application honeypots.

So any URL that we haven't seen in the past is sort of displayed there.

And what sort of stuck out a little bit yesterday actually was a particular host that was scanning

the internet it looked like for

web shells. Web shells, of course,

are associated with many reason

compromises, whether it be solar winds or

whether it be many of the

Microsoft Exchange server

compromises that we have

seen recently.

This particular actor, well, is such a sort of parasitically trying to find pre-installed

web shells and then trying to exploit them.

And apparently looking for things like, for example, default passwords that are often used

with these web shells.

Total of 28,454 requests from this single IP address over the day on Monday, hitting about 40 honeypots that are supplying us with data.

And as usual, if you're interested in running a honeypot,

well, check our site.

Of course, the big news item today was also the Amazon outage.

...