Hello, welcome to the Monday, April 26, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

In Diaries, we got a couple of quick ones over the weekend. Xavier talked about a malicious PowerPoint file that distinguishes itself with a very compact

and simple visual basic macro.

Instead of one of those classic Living of the Land attacks, it uses the built-in Microsoft

tool MShTA.exe to download and then execute the actual malware.

And Ghee took a quick look at what passwords people sent via basic authentication to honeypots.

And well, no big surprises here.

Now, if you're looking at the list, there's one that ranks

really high, that's sort of part of his top five that does look like a random UUID. Well, while the

string is sort of random, it's not random in the sense that a fairly popular set of video

recorders apparently uses this as a hard-coded password.

So at least they didn't use admin and instead used a random password, but the same

random password for millions of devices.

And on Friday, Glick Studios, the company behind password manager, password state,

announced that they apparently were breached and customers were provided with a compromised

update.

Now, there's not a lot of solid information here.

The CSIS group has a write-up about this with some details, but they weren't able to retrieve all

stages of the malware. Looks like it was shut down relatively quickly, but it's fair to assume that

the malware did attempt to infiltrate passwords. And of course, that's sort of the worst case scenario when it comes

to password managers, that the password manager itself gets compromised. Password state itself

...