Last Updated: 2018-07-18 18:52:01 UTC
by Kevin Liston (Version: 2)
Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise. It popped up on the experimental trends report (https://isc.sans.edu/trends.html) yesterday. Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source: https://stackoverflow.com/questions/39007572/cloud9-debugger-listening-on-port-15454)
We're curious if that initial guess is correct or not. Are you seeing this as well? Any pattern to the source or interesting tool marks. Or better yet: Got Packets?
If so, hits us up on the contact form: https://isc.sans.edu/contact
Looking at my own sensors, I see one source 22.214.171.124. It was looking for ports in the 15000 range. So looking at the DSHield logs for port 15453 port 15455 port 15456 around 15454 you see a similar uptick. IN additon to the 15000 ports it was also hitting 22.
Last Updated: 2018-07-18 02:38:21 UTC
by Scott Fendley (Version: 1)
Oracle released their quarterly critical patch update today. This patch addresses a record number of 334 vulnerabilities across a wide set of Oracle supported products.
Vulnerabilities in Weblogic, Oracle Spatial, and Oracle Fusion Middleware MapViewer are rated with CVSS scores of 9.8. Deserialization based attacks within Weblogic server has been used as attack vectors in the past year, and used to install crypto miner campaigns. It is likely that these types of campaigns will continue for the forseeable future.
We recommend the review of the full CPU release to identify impacted software packages within your organization, and make plans to address those that create the largest risk. The full bulletin is available at Oracle at the URL http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html .
Scott Fendley ISC Handler
If you have more information or corrections regarding our diary, please share.