Hello and welcome to the Friday, February 17th, 2020,

edition of the Sans and its Stormer's Stormcast. My name is Johannes Ulrich, and today

I'm recording from Jacksonville, Florida. Jan today came across an interesting fishing attempt

that used the browser in browser technique. Now, there are a couple

different variations of that, some of the more sophisticated ones, will essentially redirect you

to a browser-based desktop. So you essentially are now accessing a website through a remote browser without necessarily realizing this.

What Jan had here was a pretty good emulation of browser windows inside the HTML DOM of your own browser.

In this case, the window that you appear to be seeing has everything that you're used to from your browser. In this case, the window that you appear to be seeing has everything that you're used to

from your browser, including a URL bar, the lock from TLS and so on, to essentially make you

believe that you are actually entering your credentials into a different site than you are actually entering them.

I think some of these fishing attempts

are also taking advantage of the very common behavior

of pop-up login windows like used with OAuth and such

that essentially display a fairly small

browser window just with the login box. So these fake pop-up windows are looking just the same.

And of course, users are likely going to fall for them. Something great to introduce in your

awareness training to sort of show something a little bit different, a little bit more sophisticated.

And if you're running a Windows server 2022 inside a virtual machine on VMware ESXI.

Well, you may run into problems after applying the latest patch from Microsoft.

Apparently, Knowledge Base 5022-842, which was part of this week's patches, has a problem that prevents Windows server 22 from booting

if secure boot is enabled.

So that's a part here that's being broken by the patch

...