Defenders should keep an eye on their networks for increased scanning activity. An increase indicates the likelihood there are discussions on how to trigger vulnerabilities. For example, Recorded Future noted that scanning against the Groovy scripting engine in Elasticsearch started “almost immediately” after the disclosure of a remote code execution vulnerability. Forums were talking about ways to exploit and maintain persistence on compromised systems “over and over,” Gundert says.
Remote code execution flaws tend to trigger online chatter almost immediately. Local exploits, those that require the attacker to somehow gain a foothold on the device first, appear to not generate as much chatter.
Sign up for CIO Asia eNewsletters.