ISC StormCast for Friday, November 10th, 2023
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 10 November 2023
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, November 10th, 2020, edition of the Sansonet Stormer's Stormcast. |
| 0:08.1 | My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:14.3 | Nice educational diary today from Xavier. |
| 0:17.1 | Xavier is talking about code injection techniques and, well, how to visualize some of |
| 0:24.3 | these and how they sort of manifest themselves on your window system. Code injection refers to |
| 0:31.8 | a normal good process being manipulated, part of the code in memory being overwritten with malicious |
| 0:39.2 | code while the software is suspended. And yes, this is something, as Xavier points out, |
| 0:47.3 | that's specifically supported by Microsoft APIs. So it's as a result relatively straightforward to do. Well, Xavier is looking at a |
| 0:59.2 | specific sample here and this was a phishing email with an executable, it was attached as a SIP file |
| 1:07.1 | that then took advantage of this technique to inject itself. Savier visualized what |
| 1:13.7 | happened here to the particular process, sound volume.exe, with prock dot. If you're not familiar with |
| 1:22.0 | dot, dot, it's actually sort of a language to describe graphs like this and then draw pictures. It can also be used for flow diagrams. |
| 1:31.1 | I've seen it also being used like for network diagrams. But in this case, it's used to kind of |
| 1:37.4 | illustrate what is happening to these processes where the actual malicious code is injected. |
| 1:45.4 | So if you are doing malvernalysis, if you're trying to better understand these techniques, |
| 1:50.7 | take a look at the full diary by Xavier. |
| 1:55.1 | And looks like the Klopp ransomer gang moved on from exploiting MoVit systems to now going after |
| 2:04.9 | CIS aid. CIS8 has published a blog post explaining that they just released a new |
| 2:11.9 | version of their on-premise product, fixing a new vulnerability CVE 2020-2347-246, and this vulnerability is apparently |
| 2:23.2 | currently being exploited by the Klopp ransomware gang. CIS 8 makes offers for help desks and |
| 2:31.1 | issue management. If you are running CIS 8, make sure that you are running version 23.3.3.36. |
| 2:41.7 | As part of its blog, CIS8 also reveals a number of details about the compromise that they observed, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.