Hello, welcome to the Friday, January 10th, 2020 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Unlike most people, we really like it if our readers and listeners are sending us Malaver. Latest example is David.

He sent us a very sort of classic Word document, claimed to be a UPS invoice, but of course

the macro in the Word document turned out to be malicious.

Xavier took a quick look at it and you can read more about his analysis.

What I sort of found interesting is from a detection point of view is that it uses a very

obviously fake user agent for some of its HTTP requests, just a sequence of seven capital letters.

Looks sort of random to me, not actually sure where they come from, but I wouldn't be surprised

if they change from infection to infection.

Also, the server that these requests are being sent to, with the server header cowboy which is also

somewhat unusual so these are typical anomalies to look for user agent headers server headers

should be pretty easy to spot malware like this and it's a renewed effort in finally getting rid of the Shah 1 algorithm to sign digital documents.

The latest output of this effort is that KnewPG, probably the most popular implementation of GPG,

will no longer trust Shah 1-based signatures if they were

created after January 19th last year. What this means for you is, well, double-check your

software that it's not using Shaw 1 signatures, as of course they may fail if someone uses up-to-date software to verify them.

In particular, new PG version 1.4 does default to Shaw 1. So make sure you're no longer using

that. And Cisco released 14 security updates, none of them critical, two rated high, the rest

medium.

What's sort of a bit notable here is that many of these vulnerabilities are cross-site

scripting vulnerabilities.

They're actually often underestimated, so be careful, definitely patch this.

...