Last week, Jonah Latimer posted here about traffic he saw to his own EC2 web honeypot exploiting %%cve:2023-1389%%. I found this looking at new URL strings to our honepot network, and so for on 29 Nov 23, there have been about 300 detections for this vulnerability pulling a shell script from %%ip:45.95.146.26%% a quick little shell script that does little more than figure out the architecture of the victim device and then attempt to download a architecture-specific variant of Mirai.
Article Link: https://isc.sans.edu/diary/rss/30442