Hello, welcome to the Wednesday, June 29th, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and then I'm recording from Stockholm, Germany.

For a while now, we are running this first scene URL page that basically looks at all the submissions we are getting from the honeypots

you all are running for us and they're looking sort of for new URLs that are showing up there.

Of course, you know, some of just small variations of like, yet another WordPress or

JAWS botnet or whatever, but the last couple days there was one little odd URL and the attacker here

was looking for a file called Radio.txt. After some Googling and checking with some of

other handlers, turns out that the attacker is likely looking for high buy music devices.

These are Android-based music players, sort of a little touchscreen, and they're running a special

piece of software called High Buy Music in order to play music.

And apparently there's a radio.txt file that defines what particular

URLs are being used by different online radio stations. So it looks like attackers are looking

for this file and not 100% clear why there don't appear to be at least any sort of critical public

vulnerabilities in these devices, there was a director traversal, which doesn't really sound

that terribly bad.

Of course, there could be some vulnerabilities that we aren't aware of, but another angle

on this is that since users of the devices tend to customize this radio.tXT file,

it could just be an attempt to enumerate different URLs people are using for their online radio stations,

maybe to find some hidden or private URLs here that users wouldn't be willing to share

publicly. There's kind of scans. If you have all of those devices, wouldn't mind hearing from

you to figure out what some of the angles are here because I don't have one of these devices

myself.

...