Hello, welcome to the Friday, December 16th, 2016 edition of the Sands and its Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Washington, D.C.

I think it was about a week ago I wrote about the malicious email ad hatchments I received from

DomainCorp. Today, Brad analyzed one of these emails in depth.

He ended up with the Kerber Ransomware after looking at the attachment in more detail.

He also discovered the two additional domains that were related to this particular wave of attacks.

In addition to domaincop.org, he saw Domaincop 247.com as well as ccnotice.netnet.

I'm not sure how successful this particular attack was, but I guess if we see some

similar domains being registered in the future, it probably means that it worked for them.

Well, and if you need more reasons to apply Apple's patches for OS10, here's one. It turns out

that the patches released earlier this week. Do fix a vulnerability

that allows access to the FileWalt password via Thunderbolt. Now, first of all, file vault,

like all, disk encryption, is supposed to protect a system if an attacker has physical access to the system.

And this is exactly what is required in order to break the file vault to password using access to Thunderbolt.

What's happening is that if an OS10 system reboots, it does allow for a short time access via Thunderbolt to memory via DMA,

and as a result, an attacker can read the filebalt password before it is being deleted during the reboot process.

This particular attack, of course, requires special hardware in order to access the thunderbolt port,

but that's pretty straightforward to acquire and it has been tested with multiple thunderbolt two laptops.

Has not been tested yet with the newer USB C laptops,

but there is really no reason why it shouldn't work with those laptops.

So Apple patched a problem and this time window

during which you can access memory no longer exists.

...