Hello and welcome to the Friday, April 25th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ullrich and today I'm recording from
Jacksonville, Florida. Well, in diaries today, some of our
honeypots got scanned for what looks like attempts to use
them as SMS gateways. The URLs suggest that the attacker here
is looking for SMS gateways made by Teltonika. Teltonika
makes a wide range of SMS gateways from IoT-centered
devices to enterprise gateways. But the fundamental
idea of all of these devices is that you're connecting to
them via an IP connection and then use them to send SMS
messages. This, of course, happens via a relatively
straightforward API. And, well, as so often, there are
some default users and default passwords that are being used.
That's exactly what the attacker was looking for here.
Typically, according to the documentation I found, there
is a user1 that's always defined. Now, it's a password
is usually a user_pass, but looks like an
addition to that one password. They're also looking for a
couple others. Not sure if they're just common passwords
being used or depending on the exact device they're looking
for, whether or not there's a range of different default
passwords being used. There's one that's a little bit
interesting, if anybody has any idea, this P8XR password.
That's sort of just a random string. Google search didn't
return anything for this random string. Now, in order
to confirm whether or not the particular gateway they're
connecting to is able to send SMS messages, they're then
sending a quick test to one of the attacker's phone numbers.
And there are two phone numbers that we have seen so
far. One in Saudi Arabia and one in Belgium. Of course,
they themselves could then be again some kind of SMS to
email gateway or something like this that would then be
used to receive those messages. As always, make sure
that you're changing default passwords. And yeah, please
don't buy any devices that come with simple default
passwords like that. And users of Commvault backup solution,
be aware that, well, there is not only a new remote code
execution vulnerability that does not require any
authentication, but in addition, there is also a
great detailed write-up by watchTowr with the usual
snark mixed in it and also an exploit that's relatively easy
to replicate once you see it here at the blog. The first
thing that the attacker would do is deploy a new package.
And that's sort of the root cause of the vulnerability
here, where the attacker would essentially just upload a web
shell here via that command center deploy web package dot
do endpoint. No authentication required here. And then next,
this particular package can be used to, for example, upload a
web shell. And then it can be used to execute additional
arbitrary code. Not a difficult vulnerability at all
to exploit. So definitely be aware of this vulnerability.
It is a must patch now vulnerability. I looked at our
logs, haven't seen any hits in our honeypots yet. But then
again, these calm wall systems are fairly easy to identify.
So I would think that some targeted attacks are already
underway. And talking about how quickly vulnerabilities
are being exploited, Vulncheck put together a
little bit statistics based on the non-exploited
vulnerabilities. And in quarter one of 2025, they
observed out of the 159 non -exploited vulnerabilities,
about a quarter, actually a little bit more, were
exploited in less than a day. And that's very typical. I
think it doesn't really matter when a vulnerability is being
made public. But as soon as an exploit becomes public, it's
widely exploited. And that's what we keep seeing in our
data. Now, they also broke it down a little bit by different
categories. And here, of course, network edge devices
are very big operating systems. Also, a lot of
content management systems, which I have to admit, I keep
ignoring, because there's just too many, like the WordPress
vulnerabilities and the like, that keep coming up, but once
you're looking at plugins and such, where there's really no
point in really enumerating them, you're probably
vulnerable if you have a certain number of plugins
running in these systems. Then the issue with, well, inetpub
is not going away. Remember, this was the problem that we
kind of had last month, where Microsoft released an update
and then created this directory. That's usually used
by internet information servers. Well, Kevin Beaumont
now on his blog did publish a little exploit where you are
just adding a junction for inetpub to a system binary.
And any user can do that on Windows. This will break
updates going forward. So now the April update cannot apply.
It cannot create that directory. And also future
updates will likely fail. We'll see if Microsoft is
adding some additional fixes here to the May update.
That's, well, coming out in a couple of weeks. Nothing at
this point that you have to do about this particular issue,
but just be aware of any odd juncture that you may find on
systems. That's it for today. Thanks again for listening.
Thanks for recommending the podcast. And as always, if you
talk someone at SANS, well, just let them know how much
you like this podcast. Thanks and talk to you again on
Monday. Bye. Bye.
