Hello, welcome to the Friday, December 11, 2020 edition of the Santernet Storm Service Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Encroc is a service that has steadily been gaining in popularity over the last couple years,

and of course with that popularity also comes attention

from attackers. The goal of N-Croch is to allow you to expose internal services, usually

for testing. That's what they sort of advertise. But attackers are also using N-Croch for backdoors.

And we have yet another Python script that takes advantage of N-Croch to implement a simple backdoor.

Xavier took a look at that script and published as part of today's diary, the source code used

by this particular bot.

Well, there's certainly a number of good reasons why developers and such would use N-Croch.

It's something that you should probably pay attention to, even if it's

used legitimately. It's something that needs to be used with care because, yes, you don't

want to expose, for example, development systems and such to the public by just exposing them via N-CROC.

And Cisco released a patch for its jabber client on Windows as well as Mac OS that fixes

a vulnerability that was thought to be patched back in September. Back then, a watchcom security company

did notify Cisco off these vulnerabilities. After the patch was released in September,

watchcom actually published quite a bit of details about these vulnerabilities, but well, apparently the patch wasn't complete

and systems were still warnable. Early this week, I talked about the electron framework,

which allows you to write desktop applications using JavaScript and HTML. Well, this Jabber client is written in a similar framework, the Chromium-embedded framework

or CEF, and with that it inherited, well, some of the basic issues that come by executing

JavaScript that is possibly then being injected via cross-site scripting.

And that's exactly what happened here.

...