meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Monday, April 24th 2017

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

News, Tech News

4.9754 Ratings

🗓️ 24 April 2017

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min infosec news summary. News, patches, vulnerabilities and trends in information security. Port 81; CVE-2017-0199 HTA Exploit Analysis; NVidia installs Node.js

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the April 24th, 2017 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich Entertainment recording from Jacksonville, Florida.

0:12.2

Jim Glossing this weekend detected an uptick in Port 81 traffic in our firewall locks. Well, I set up a honeypot and the only thing I get, but I get a steady stream of that is

0:26.0

invalid HTTP requests.

0:28.1

They all start with get, then a new line, then login.cgi.

0:33.7

All the servers that I have to write so far will respond with an error message, even things like mini-HTP, which typically is fairly resilient and accepting some invalid HTTP requests.

0:48.3

Best I can tell so far, it's probably a fingerprint attempt, but if you are seeing this data leave your network,

0:55.3

I would appreciate a note to see where it's originating from.

1:00.6

And Didy looked at a Word document that exploited the recent CVE 2017-199 exploit.

1:09.6

This is this famous HTA exploit that was already exploited before a patch was released.

1:16.6

Of course, the last couple of weeks, it has really taken off and sort of hit the mainstream

1:22.6

because it's a relatively easy exploit to execute.

1:26.6

Well, the DA will show you how to analyze these documents.

1:31.9

It was about a week ago that we learned about Eternal Plu and Double Pulsar, the NSA exploit and

1:39.1

the back door that goes with it. Now, at the same time, there was also a detection script that was released

1:47.1

for double pulsar because hosts infected with that backdoor will respond slightly different

1:54.5

for SMB pinks. Well, there have been now a couple of surveys off the internet to see how many systems are infected with double pulsar.

2:06.0

Turns out the number was surprisingly large.

2:09.4

Tens of thousands of systems, the exact numbers vary from survey to survey.

2:14.7

But of course, there is no telling when they got infected. These surveys

2:19.7

that were done late last week, so the bad guys had about a week to infect systems with

2:26.6

these exploits, so not all of these systems were necessarily infected by the NSA originally.

2:34.4

And apparently, in video with some of its latest Windows drivers, did also install Node.js.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.