Hello, welcome to the Monday, April 5th, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Last week, Xavier wrote about how he came across some malware that took screenshots and Xavier was able to recover many of the screenshots

that a malware sent back to a command and control server. But Xavier noticed that some of these

images did actually originate from sandboxes, not from actual end user systems.

And this was pretty evident, for example, if terminal windows were open that ran software that typically is used by sandboxes.

So Xavier wrote a little Python script to determine how many of these screenshots came from sandboxes, and he ended

up with about 21%. The main criteria Xavier did look for is the size of the screenshot, and

then also the percent of unified color, essentially, how much of the screen is just one color.

In a real system, you often have multiple windows open and icons and such, leading to a more

colorful desktop. While, of course, in a sandbox, you often don't have many windows open usually

fairly plain wallpaper and the like which then was identified as a sandbox now just

looking at some of the samples that Xavier posted it looks like the script was pretty good

in identifying sandboxes and characterizing

those images. And the FBI, as well as the cybersecurity infrastructure agency SISA, are

noticing an increase in the attacks against older 40Gate VPN gateways.

The vulnerabilities being attacked here are CVE 2020-12, which was patched in July

of last year, and then CVE 2018-13379, which also was patched in May of 2019.

So patches have been available for a while now, and these vulnerabilities have always been

exploited. So this is not really all that new. It does allow an attacker to essentially access credentials for the VPN and then connect

to the VPN as an authenticated user.

So, of course, short solution here, update 40 OS.

...