Hello, welcome to the Friday, October 4th, 2019 edition of the Sansonet Storms and StormCast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Ransomware is the gift that keeps on giving, at least if you are a security analyst.

But attackers don't always use a new ransomware.

They sometimes sort of keep reusing older versions and just come up with a new route to get

people to infect themselves.

Xavier came across such an example.

The email advertising the ransomware does follow some of the

playbook of fake antivirus. It does claim that the user's system is infected and suggests

that they are downloading a repair tool from Microsoft. The email itself follows standard Microsoft branding. When the user downloads

this repair tool, they of course download the ransomware and execute it willingly. So no real exploit

involved here. Now the ransomware being installed here is quite old,

except he was able to actually find the source code for this particular ransomware on GitHub,

and it appears to be about two years old. Accordingly, also, Virus Total has pretty good detection

for this particular variant.

And last week we got a new version of TCP Dump and it turns out that it fixes a large

number about 20 different vulnerabilities, some of which are remote code execution

vulnerabilities.

Of course, TCPDump is sort of one of those tools we always consider old and stable and, well, secure. Well, they actually have added a lot more application layer protocol intelligence to TCPDump,

and some of these vulnerabilities at least appear to be related to these new features.

So definitely if you are using TCPDump, make sure you are using the latest version, 493.

...