Hello and welcome to the Wednesday, March 20, 2024 edition of the Sanchez in Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

I wrote up a quick case study today about an IP address that is hunting firewalls. I should probably

say more correctly,

parameter secure devices. There are also some Zell gateways and the like part of this.

This is, of course, something that we have been talking about for a couple of years now,

that these devices and their vulnerabilities are a prime target for attackers. This

particular IP address has been added since about December 7th last year, started looking

for 40-net device at first. Actually, interestingly, a couple days before a patch was released for a

particular vulnerability there. And more recently in the last few days, really sort of spread

out and looking now for vulnerabilities in like watch guard, Palo Alto, Imanti or Pulse

secure, F5, Citrix, and Cisco.

So really sort of your full set of devices.

There was a question from one of the handlers,

if there's any 40-gate devices here,

didn't see any attacks against those specific devices, but really what this

attacker is doing is more scanning for potential vulnerable devices to possibly then exploit

them once exploit becomes available for one of these devices. And this has been a little bit sort of a challenge for attackers, because typically after

a new exploit is released, well, devices are pretty much being exploited within sort of a

day or so.

So I wrote about this, I think, last week as well. You don't really have time

to patch, but attackers also don't have time to attack these devices because otherwise

...