Hello and welcome to the Friday, September 30th, 2020 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from the Not Terribly Windy and Not Terribly Rainy Jacksonville, Florida.

The Deast Diary today introduced the latest update to his PNG dump tool.

Well, the name sort of gives it away.

It's a tool to analyze PNG image files.

The tool identifies anomalies that are often used in PNG files, in particular if they

contain embedded malware, for example, if parts

of the file are not properly compressed, which typically is the case for PNG.

Iced ID is a malware family that takes advantage of this technique, and for Iced ID, the payload is usually RC4 encrypted, but the key

is prepended to the payload. So the DAS tool will now decrypt the payload for you. In case you

wonder, why do they make it so easy? Why is it just a key and then the encrypted payload? Well, the goal here is not

really sort of encryption per se to hide or the confidentiality of the malware. It's really

more obfuscation. They could probably have just extort the payload with that key and it would

have worked as well. Today, a blog post by a Vietnamese security company,

GTSC caused some concern as it reports about a new and so far unpatch,

but already exploited vulnerability in Microsoft's Exchange server.

GTSC found out about this vulnerability when they analyzed a compromised server, and

they described the vulnerability as being similar to the infamous proxy log-on issue.

Now, it does require authentication, so there's a little bit of a hurdle to overcome for the attacker,

but once the attacker's authenticated, well, the sky is the limit,

so to speak, and GTSC found a web shell installed on the compromised server, which is something

that was also done with the original proxy log-on vulnerability. So far, there is no official

...