Hello and welcome to the Thursday, March 13th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

One more ability that's just not going away is Log 4J.

The latest example are some scans that I observed today

against the VMware Hyper Cloud extension or HCX API.

This is a Rest API, and at first I thought it was just a brute force attempt I saw because the end point that the request was directed at, well, was used for login.

It's the session and you just post username and password to it, and you'll get back a session key that's then being used as a bearer token.

However, looking at the payload closer,

well, the username was actually a log for J payload. This makes perfect sense, sort of in hindsight,

that an attacker would use a username to inject a log for J payload, because, well, that's the part

that's usually logged from a request like this.

And interestingly, the IP that was going after these VMware systems also went after a couple

other login pages, like some Cisco login pages and others that I yet have to identify.

They're sort of just generic, like some just login.

So could be various applications that are being attacked here.

And then we got a little bit patched Tuesday cleanup.

First of all, the Apple update released yesterday

that fixed the surrogate vulnerability in macOS and iOS.

Apparently after applying this update, some users reported that Apple Intelligence

is being re-enabled.

If they had it disabled first, that's Apple's artificial intelligence feature that typically is enabled by default, but you are able to disable it.

Well, in Europe, I don't think it's available, so no issue with Europe here.

...