INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
What are they looking for? Scans for OpenID Connect Configuration
Last Updated: 2023-12-20 00:03:45 UTC
by Johannes Ullrich (Version: 1)
Update: Thanks to our reader Dustin Decker for pointing out that these scans are likely looking for Citrix devices. The recent "CitrixBleed" vulnerability is exploited using the OpenID connect URL (CVE-2023-4966, CVE-2023-4967). An attack would also include an oversized Host header in a request to the OpenID URL. The scans I have observed do not appear to include this oversized Host header. Looks like they are just looking for possible targets to exploit later.
One of our honeypots received unusually many requests for an OpenID connect configuration file. This honeypot is configured a bit differently as it is more experimental to test new software, so the logs do not show up on our main site. Overall, there are only a few requests targeting this specific URL.
OpenID connected is an authentication scheme often used by websites to facilitate features like "Log in with Facebook/Google...". The specification asks for a configuration file, .well-known/openid-configuration, to facilitate the automatic discovery of OpenID connect capabilities.
Read the full entry:
An Example of RocketMQ Exploit Scanner
Last Updated: 2023-12-16 06:31:05 UTC
by Xavier Mertens (Version: 1)
A few months ago, RocketMQ, a real-time message queue platform, suffered of a nasty vulnerability referred as CVE-2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).
This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory ...
Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan port scanner ...
Read the full entry: