[SANS ISC] Log4Shell Attacks Getting “Smarter”, (Mon, Jan 17th)

Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (%%cve:2021-44228%%). Initial attempts where rather “blunt”, and attempted to insert the JNDI exploit string into various fields without much concern how and where the string may be logged. More recently, we did some however […]

Read More

[SANS ISC] Use of Alternate Data Streams in Research Scans for index.jsp., (Fri, Jan 14th)

Our network of web application honeypots delivered some odd new URLs in the last 24 hrs: /index.jsp::$DATA /jsp/index.jsp::$DATA /cgi-bin/index.jsp::$DATA /cgi-bin/jsp/index.jsp::$DATA /demo/../index.jsp::$DATA /demo/../jsp/index.jsp::$DATA /scripts/index.jsp::$DATA /scripts/jsp/index.jsp::$DATA I am not 100% sure what these scans are after, but my best guess right now is that they are attempting to bypass filters using NTFS alternate data streams. The Windows […]

Read More

[SANS ISC] Microsoft Patch Tuesday – January 2022 , (Tue, Jan 11th)

Microsoft fixed 126 different CVEs with this month’s update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical.  Noteworthy updates: CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this […]

Read More