Hello, welcome to the Friday, March 25th, 2020 edition of the Sands and its Storms Centers.

Stormcast, my name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, this week I'm actually teaching our intrusion detection class, and one issue that always keeps coming up is, well, how to detect

the download of malicious files or the ex-filtration of data. And of course, one tool that

attackers like to use are various websites out there that allow you to share files for free.

These sites are either used to upload the data for exfiltration

or, well, to store malicious code and then download it from these often well-known and

non-malicious sites that, of course, are then not necessarily detected as suspicious.

Xavier ran into a piece of Malar like this, its

PowerShell code, and in this case, Transfer.sher.sh was used. Transfer. Transfer.jsh, it's well-known,

but not necessarily one of these mainstream file-sharing sites, like, for example, Dropbox. On the other hand, transfer.js.h is kind of attractive because it, first of all,

allows completely free and unauthenticated hosting and also has a very trivial API to use

tools like curl or any similar HTTP client in order to download the file or even upload files.

More details in Xavier's post about this particular malware.

And then we got a new vulnerability in Western Digital PR 4100, NASA's CVE 22, 23121. And yes, there's

already an exploit available as part of a write-up by Alex Plaskett, who I think found and reported this vulnerability.

What makes this vulnerability kind of special is that it's not in one of the web applications.

That's where we usually see these vulnerabilities.

Instead, it's in the Netatalk service.

Netatalk is an open source product that implements Apple's filing protocol or

AFP. I don't think this is necessarily exploitable from the public internet, but definitely

exploitable in the default configuration of the device from the internal interface. It does

...