Hello, welcome to the Friday, September 7th, 2018 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Amsterdam, Netherlands.

Saville came across an interesting piece of malware that he wrote up today.

One of the features of this malware was that it's using

PowerShell to compile C-sharp code on the fly.

The code then appears to attempt to connect a command control server.

At this point, Xavier has not received any response from this server.

And Elliot Thompson found a neat way to steal Wi-Fi credentials from users using Google Chrome.

The main problem here was that Google Chrome did pre-fill credentials for non-HDPS sites.

This has been fixed in the latest version of Google Chrome, but the way this attack works

is pretty straightforward if you think about it that the attacker would impersonate the

login website, the router website on a Wi-Fi network,

then it would trick the user to visit that particular website,

and of course Google Chrome would automatically pre-fill credentials.

In general, it's always dangerous to have a browser or any tool pre-fill credentials on non-HTPs

websites because it's always possible to impersonate these sites and then, of course, browsers

wouldn't recognize that they actually connect to the wrong website.

And the register has an interesting preview of a paper to be released by researchers of the Fraunhofer Institute for Secure Information Technology.

In this paper, apparently details are going to be released in how to trick certificate authorities

into issuing you a bad certificate for a domain you don't own.

The problem here, apparently, is that some certificate authorities are using DNS to verify

domain ownership, and, well, DNS responses can be spoofed.

...