Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Hazelcast IMDG Discover Scan - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hazelcast IMDG Discover Scan

Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]

There was some discussion regarding this issue at the end of Sep 2019 that got fixed at the end of Nov 2019 [5] where /hazelcast/rest/cluster HTTP endpoint returns HTTP 500 status. If you are seeing similar discovery scans and when they started, we would like to hear from you.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


523 Posts
ISC Handler
Feb 29th 2020
I show requests for that URL on Feb 13 and Feb 15 - - [13/Feb/2020:19:39:41 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 229 "-" "-" - - [15/Feb/2020:17:58:20 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 239 "-" "-"

These requests were directed to port 80 on my server.
Can confirm, starting on Feb 16th with surprising random seeming destination ports: 31472, 9200, 5984, 11211, 2375, 44818, 27017, 8087, 2480 in 9 probes, so not 1 unique destination port. All 9 requests were "GET /hazelcast/rest/cluster".

17 Posts
Got here also:

/var/log/apache2/access.log: - - - [22/Feb/2020:19:23:55 -0300] "GET /hazelcast/rest/cluster HTTP/1.0" 404 360 "-" "-"

4 Posts

Sign Up for Free or Log In to start participating in the conversation!