Hello, welcome to the Wednesday, September 6th, 2017 edition of the Santonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

It was sort of a year ago that we really saw Mirai take off, so I put together a little summary of where we are today with Mirai. Last week, of course,

I set up that DVR torture chamber. So I want to see how many infected hosts are still out there.

Well, it looks like we're talking about 100,000 hosts that are infected with some form of Mirai or similar malware. We do actually see

less scanning on Port 2323, which was one of the hallmarks of the original Mirai variant

that we observed. But these days, that has actually died down quite a bit.

Overall, we do see a half-life of infected Mirai hosts of about 150 days now,

so Mirai is certainly going to stick around with us for quite a while,

in particular since there are still new systems being discovered with

new default passwords, so they're going to be just added to the list.

And if you're using Apache struts for your web applications or web services, it's time to update.

A new critical vulnerability was identified in struts that has been patched in 2.5.13.

The vulnerability does affect the Rest plugin, so if you're not using Rest, you should be able

to turn that off and secure your site that way.

I would still recommend that you update just in case that it gets enabled by mistake.

Now the problem here as before was with the deserialization of untrusted data.

There is no exploit available at this point, but an exploit shouldn't

really be all that difficult to come by. So definitely update this week if you can at all,

or at least check if there's any kind of web application firewall ruler so that you may be able to use to protect

yourself.

If you don't see an exploit by the time you're listening to this podcast, you should definitely

...