Hello, welcome to the Friday, February 15th, 2019 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

You probably have heard in the past about problems with PDFs that are embedding links to SMB

file shares.

Don't see him really a lot, but it is actually a pretty easy exploit in the sense that

then the user will try to connect outbound to the SMB file share, of course, download the document

and in some circumstances even pass along hashes of credentials

in order to attempt to essentially authenticate against this remote file share.

More or less anywhere where you would have added a HTTP URL, you could also insert

an SMB URL. Now often of course this ability has been disabled

in recent years, but PDFs are still one of these spots where it is sometimes possible

and where this trick works. Xavi ran into one such document and took a closer look at it, so if you want to see how it works. Xavier ran into one such document and took a closer look at it. So if you want to see

how it worked in this particular case, how to analyze documents like this. Well, take a look.

If you're running a QNAP appliance, these are these storage devices. You may want to take a look at the host file on the QNAP appliance, these are these storage devices.

You may want to take a look at the host file on the QNAP device and check it for any odd

entries.

There has been some so far really undefined malware going around, which apparently does

manifest itself by additional entries in your Etsy hosts file.

Now if you have one of these devices, you also should definitely update the version of the

operating system of the device, also update all installed applications, and manually update

the malware remover that is included with this device.

Apparently, another sort of side effect of the malware that's being spotted by QNAP users

...