INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Struts "devmode": Still a problem ten years later?
Published: 2024-04-23
Last Updated: 2024-04-23 12:37:56 UTC
by Johannes Ullrich (Version: 1)
Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution. This OGNL console resembles a "web shell" built into devmode.
No matter the language, and the exact features it provides, enabling a "devmode", "debug mode" or similar feature in production is never a good idea. But it probably surprises no one that it still shows up in publicly exposed sites ever so often. Attackers know this as well, and are "playing" with it.
Read the full entry:
https://isc.sans.edu/diary/Struts+devmode+Still+a+problem+ten+years+later/30866/
It appears that the number of industrial devices accessible from the internet has risen by 30 thousand over the past three years
Published: 2024-04-22
Last Updated: 2024-04-22 10:21:17 UTC
by Jan Kopriva (Version: 1)
It has been nearly three years since we last looked at the number of industrial devices (or, rather, devices that communicate with common OT protocols, such as Modbus/TCP, BACnet, etc.) that are accessible from the internet. Back in May of 2021, I wrote a slightly optimistic diary mentioning that there were probably somewhere between 74.2 thousand (according to Censys) and 80.8 thousand (according to Shodan) such systems, and that based on long-term data from Shodan, it appeared as though there was a downward trend in the number of these systems.
Given that few months ago, a series of incidents related to internet-exposed PLCs with default passwords was reported, and CISA has been releasing more ICS-related advisories than any other kind for a while now, I thought it might be a good time to go over the current numbers and see at how the situation has changed over the past 35 months.
At first glance, the current number of ICS-like devices accessible from the internet would seem to be somewhere between 61.7 thousand (the number of “ICS” devices detected by Shadowserver) and 237.2 thousand (the number of “ICS" devices detected by Censys), with Shodan reporting an in-between number of 111.1 thousand. It should be noted though, that even if none of these services necessarily correctly detects all OT devices, the number reported by Censys seems to be significantly overinflated by the fact that the service uses a fairly wide definition of what constitutes an “ICS system” and classifies as such even devices that do not communicate using any of the common industrial protocols. If we do a search limited only to devices that use one of the most common protocols that Censys can detect (e.g., Modbus, Fox, EtherNet/IP, BACnet, etc.), we get a much more believable/comparable number of 106.2 thousand.
Read the full entry:
The CVE's They are A-Changing!
Published: 2024-04-17
Last Updated: 2024-04-19 18:12:04 UTC
by Rob VandenBrink (Version: 1)
The downloadable format of CVE's from Miter will be changing in June 2024, so if you are using CVE downloads to populate your scanner, SIEM or to feed a SOC process, now would be a good time to look at that. If you are a vendor and use these downloads to populate your own feeds or product database, if you're not using the new format already you might be behind the eight ball!
The old format (CVE JSON 4.0) is being replaced by CVE JSON 5.0, full details can be found here ...
Read the full entry:
https://isc.sans.edu/diary/The+CVEs+They+are+AChanging/30850/