Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Hazelcast IMDG Discover Scan SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hazelcast IMDG Discover Scan

Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]


There was some discussion regarding this issue at the end of Sep 2019 that got fixed at the end of Nov 2019 [5] where /hazelcast/rest/cluster HTTP endpoint returns HTTP 500 status. If you are seeing similar discovery scans and when they started, we would like to hear from you.

[1] https://docs.hazelcast.org/docs/management-center/3.9.2/manual/html/Clustered_REST_via_Management_Center.html
[2] https://vulmon.com/searchpage?q=hazelcast
[3] https://vulmon.com/vulnerabilitydetails?qid=CVE-2018-10654&scoretype=cvssv2
[4] https://github.com/hazelcast/hazelcast/issues/15635
[5] https://github.com/hazelcast/hazelcast/pull/16150
[6] https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+Overview+of+Observed+Payloads/25704

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

479 Posts
ISC Handler
Feb 29th 2020
I show requests for that URL on Feb 13 and Feb 15

111.206.52.81 - - [13/Feb/2020:19:39:41 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 229 "-" "-"
27.115.124.74 - - [15/Feb/2020:17:58:20 +0000] "GET /hazelcast/rest/cluster HTTP/1.0" 302 239 "-" "-"

These requests were directed to port 80 on my server.
Anonymous
Can confirm, starting on Feb 16th with surprising random seeming destination ports: 31472, 9200, 5984, 11211, 2375, 44818, 27017, 8087, 2480 in 9 probes, so not 1 unique destination port. All 9 requests were "GET /hazelcast/rest/cluster".
Ron

9 Posts
Got here also:

/var/log/apache2/access.log:111.206.250.230 - - - [22/Feb/2020:19:23:55 -0300] "GET /hazelcast/rest/cluster HTTP/1.0" 404 360 "-" "-"
witz2

4 Posts

Sign Up for Free or Log In to start participating in the conversation!