meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, April 13th 2020

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News

4.9754 Ratings

🗓️ 13 April 2020

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Decrypted KPOT Malware; VCenter Patch; Ransomware Swith to Monero

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Monday, April 13th, 2020 edition of the Santernut Storms,

0:05.9

I'm Stormcast. My name is Johannes Ulrich, and yes, I'm still recording from Jacksonville, Florida.

0:14.0

It's always great to have some of our readers further analyze some matter that was discussed in our diaries. Now, we got a post here by Vinny that Didier put up,

0:27.2

and it looked in more detail at the encrypted K-pot malware that was discussed by Didi in a prior

0:36.3

post. Now, what Vinny here did in order to decrypt this K-Pod Malware is, well, just run it

0:43.1

and essentially let it decrypt itself and then dump memory in order to get a snapshot of

0:50.0

the decrypted code.

0:51.7

And this worked pretty nicely here.

0:54.5

He was able then to essentially just use simple strings to learn more about the matter.

1:00.7

So if you're interested, take a look at what he did here in order to accomplish this.

1:07.4

Now, first of all, he used just simple task manager in order to get a process dump for this dlllhost.exe binary, and then he just used foremost to extract the actual executables.

1:22.9

Once extracted, he had it all decrypted and could use simple strings in order to sort of learn

1:29.0

a little bit more about this particular malware. So pretty neat and quick technique.

1:34.8

Also nice that in addition to task manager, the only thing he needed was Formos, which of course

1:39.0

is sort of a stable, a well-known forensics tool to extract data from binary dumps like memory or disk dumps.

1:48.7

And if you are running VMware's V-Center server, it's time to update VMware released a patch on Friday

1:57.7

that addresses an information disclosure vulnerability with a CVSS score of a full

2:05.2

10. So this can lead to a complete system compromise. Now, these sensitive information disclosure

2:12.4

vulnerability is always a little bit tricky to gauge, but apparently here the problem is VM there and it doesn't

2:21.1

implement correct access controls. It's possible to gain access to data that you're not supposed

2:26.4

to have access to, which apparently may include credentials and such, which then in turn, of course,

2:32.6

can be used to compromise the system. However, in order

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.