ISC StormCast for Friday, July 1st, 2022
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 1 July 2022
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, July 1st, 2022 edition of the Sansonet Storms and StormCast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:12.7 | Nice case study today by Brad who looked at a quackbot infection that then resulted in Cobalt Strike being used for command and control. |
| 0:23.0 | Nothing really all that exciting or new here. |
| 0:25.4 | But one thing that Brad points out in this particular example is that the Cobalt Strike |
| 0:31.6 | connection kept on working even after the domain used to actually direct the victim to the particular Cobalt Strike server |
| 0:41.3 | had been suspended. The simple reason for this is that, well, a Cobalt Strike fell back to the |
| 0:47.3 | IP address. Typically, you will find a host name as well as an IP address that can be configured as a command control server. |
| 0:56.6 | Yes, the certificate was no longer any good, of course, for the IP address. |
| 1:00.8 | It just contained the host name, but still good enough for Cobalt Strike to maintain the connection. |
| 1:08.6 | And Brad discovered that sort of a week after the original domain was removed. |
| 1:16.8 | Little side note here on this, getting domains suspended often depends a lot on the registrar that is being used here. |
| 1:26.0 | Just big kudos to NameChip. The register NameChip has |
| 1:29.9 | been very responsive in revoking domains used for malicious purposes. So if you are attempting |
| 1:37.4 | to do something malicious with your domain, please make it easier for us to take your domain |
| 1:42.5 | down and register it with NameChief. Back in April, |
| 1:47.9 | Soho did publish an update for Manage Engine 80 Audit Plus. This update fixed vulnerability |
| 1:56.9 | CVE 2022, 28, 2019 and cost a lot of excitement in part because, well, Manage Engine 80 Audit |
| 2:04.9 | Plus, it used to manage active directory and a compromise of the system could potentially |
| 2:11.6 | compromise active directory. Horizon 3 AI, the company that found this vulnerability, now published a blog post |
| 2:21.4 | showing how this particular vulnerability can actually be exploited, and it goes in quite a bit of |
| 2:29.0 | detail how to essentially end up with a complete domain compromise and remote code execution. |
| 2:35.8 | It sort of all starts out with an unauthenticated XML external entity injection. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.