Internet Storm Center Spotlight


ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.

Pro Russian Attackers Scanning for Sharepoint Servers to Exploit CVE-2023-29357

Published: 2023-11-28

Last Updated: 2023-11-28 12:59:52 UTC

by Johannes Ullrich (Version: 1)

In June, Microsoft released a patch for CVE-2023-29357, a critical privilege escalation vulnerability for Sharepoint. An exploit for this vulnerability was released in late September. Combined with CVE-2023-24955, a remote code execution vulnerability that was patched in May. The first vulnerability bypasses authentication to enable code execution via the second vulnerability.

Earlier today, I noticed the URL for CVE-2023-2023-29357 show up in our "first seen URL" list. This list notes URLs collected by our honeypots that reached certain thresholds for the first time. Our honeypots saw the first exploit attempts on September 30th, but at the time, they did not reach the threshold yet to be considered significant.

Read the full entry:

Scans for ownCloud Vulnerability (CVE-2023-49103)

Published: 2023-11-27

Last Updated: 2023-11-27 14:22:54 UTC

by Johannes Ullrich (Version: 1)

Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys.

As of Sunday, we are seeing individual scans for one of the affected URLs.

Read the full entry:

Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary]

Published: 2023-11-27

Last Updated: 2023-11-29 02:12:28 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Alex Rodriguez, an ISC intern as part of the BACS program]

Honeypots can be an effective means of discovering the variety of ways hackers target vulnerable systems on the Internet. The first thing you may ask yourself is, “What is a honeypot?” In short, it is a magnificent tool that can be attached to your home router and is designed to lure potential hackers into attacking it by pretending to be a vulnerable system. As part of my internship with the SANS Internet Storm Center, I have had the pleasure of setting up a honeypot and monitoring activity to assist me in identifying some of the trends hackers use to target vulnerable systems.

Monitoring activity on a honeypot usually entailed reviewing logs, which in my case meant combing through JSON-formatted, SSH and Web logs looking for activity that piqued my interest. According to my SSH logs, the honeypot captured 26171 IP addresses, 48548 Source Ports, 13201 Usernames, and 43794 Passwords between July 30, 2023, and October 30, 2023. Listed below are the Top 10 IPs, Ports, Usernames, and Passwords captured during the four-month period.

Read the full entry:

Internet Storm Center Entries

OVA Files (2023.11.25)

Wireshark 4.2.0 Released (2023.11.25)

Happy Birthday DShield (2023.11.24)

CVE-2023-1389: A New Means to Expand Botnets (2023.11.22)

Overflowing Web Honeypot Logs (2023.11.20)

Quasar RAT Delivered Through Updated SharpLoader (2023.11.18)

Phishing page with trivial anti-analysis features (2023.11.17)

Beyond -n: Optimizing tcpdump performance (2023.11.16)

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.