Hello and welcome to the Monday, April 7th, 2025 edition of the Science and at Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

I added a quick new report to the Storm Center website this weekend, and the reason I added it is the last couple of weeks,

I spent a bit more time with our S-H IntelNet data. You may have been able to tell by some of

the diaries I published. But the one thing I felt sort of was missing from the website was an easy

way to figure out what particular usernames and passwords

are just being newly used that have not been used before. This type of report is always

very useful. We have one for our web honeypots, for URLs and for the headers. So now we have it

also for usernames.

Passwords haven't made that public yet.

There are so many different passwords that makes that report a little bit challenging,

so still working on it.

And just a quick overview when I looked at it today wasn't anything super exciting.

Looks like a couple new first initial last name combinations were attempted.

Also, a couple bucks in tools, at least I think part of it at least is bugs,

where the first letter of the username is missing.

That can often happen like if an attacker doesn't understand quite how to pass command line arguments to a tool. There's also one particular attacker who has sent about

14,000, I think it was, requests using the file name of the username file as a username. So again, probably just someone not knowing how to use

the tool correctly. That happens actually, I think, much more often than people are realizing

that attackers are using exploits and such that they don't understand very well themselves

and that fail even if you are vulnerable.

Seen similar things also on the web application site

where attackers are just misspelling URLs.

...