Hello, welcome to the Friday, February 17, 2021 edition of the Sand Center at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jim today wrote about an increase in Port 26 scans, and well, about a year ago he noticed a similar increase so interesting to

have a repeat of this event looks like the attacker is expecting a Telnet server on

port 26 and then trying to a spread version of the Satori botnet, according to some of the strings being sent,

which is one of those standard.

Hey, let's log into a Linux system with a weak password-style botnets like Mirai and the like.

The target here is most likely gigabit Ethernet passive optical network interfaces.

These modems or access points are often vulnerable.

A reader on the D-Shield Slack channel actually pointed us to a GitHub page that describes an exploit against one of these devices that will open up a Telnet server on Port 26.

And the attacks that Jim observed are somewhat consistent with this backdoor.

So by default, the Telnet server is not running, but with this exploit, it's possible to start it up on Port 26.

And what we are seeing now looks really more sort of like a secondary exploit than trying to

find these leftover telnet servers.

It looks like some Windows users had issues with Fabri's patch update where it stalled around 24%.

The reason was that you likely applied a servicing stack update first.

That servicing stack update was released on Friday, so after the Patch Tuesday update, but if you

first released that and then applied the Patch Tuesday update, then you ran into this hanging

update. Servicing Stack, that's the part of Windows that's responsible for applying updates,

and apparently there was a problem with that most recent release.

If you ran into this problem, the fix is to uninstall that servicing stack update and then

reapply the February cumulative update.

...