meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Friday, June 7th 2019

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News

4.9754 Ratings

🗓️ 6 June 2019

⏱️ 7 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. GoldBrute Botnet; Exim Vulnerability; iOS Apps Disabling TLS @wandera @renato_marinho @bojanz

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Friday, June 7th, 2019 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich,

0:08.4

and I'm recording from Jacksonville, Florida. I noted a couple times talking about Blue Keep and the

0:15.2

RDP vulnerability in general that you probably shouldn't expose RDP to the public internet.

0:22.6

Latest example of why this is a bad idea is a botnet that Renato came across and he called

0:30.6

it Gold Brood based on a Java library that it uses to actually do its scanning.

0:37.4

This botnet is actually a little bit more intricate than some of these botnets.

0:41.3

First of all, it's written in Java, which is a little bit unusual, and comes with the entire

0:47.3

Java runtime.

0:48.3

So the download for each individual host is about 80 megabytes in size, and that's the SIPP archive of everything

0:57.9

that's then being expanded on the infected host. Now, once a host is infected, it starts scanning

1:04.7

for other systems that have an open RDP port, and it reports this back to a command control server.

1:13.6

Now, once it reported back 80 IP addresses, then this command and control server will actually

1:20.6

start pushing IP address back to the RDP host. I think there's a little bit of proof that this host is actually actively scanning

1:30.3

and not just a honeypot. So that may be the reason that it first wants these ATIP addresses back. And

1:37.5

then the host, the command control server is pushing back more IP addresses that the infected system is then scanning

1:47.0

for a weak passwords. Each time the host is just using one pair of username and password,

1:52.9

so that probably will work around some lockout issues here, and then later it will receive another list of IP addresses.

2:04.1

Renato of course, well he did send back 80 IP addresses, got back more and more addresses

2:10.6

to scan.

2:11.6

Overall he ended up with about 1.5 million servers that are exposed according to this botnet.

2:20.3

So these 1.5 million servers are now being scanned for weak passwords.

2:26.3

And of course this list is going to get larger as infected systems are scanning for more and more hosts that have RDP exposed.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.