Hello and welcome to the Monday, August 14, 2023 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Well, let's start with some diaries that came in over the weekend.

Xavier wrote about some Python malver that he found, and this Malver is using an interesting anti-debugging

trick. It uses two Windows API calls Enum Windows and Get Windows text in order to figure out

which windows are currently open on the system, and then what well, what the text associated with these windows is,

telling the attacker what other software you may have running, like, for example, debuggers,

and that's exactly when they will then stop execution.

Moritz-Aprill with Penetration Company, Siss, that published an interesting blog that's also presented at Black Hat last week, that details some weaknesses in Zoom's serotouch provisioning feature.

What Serotouch provisioning really does is that if you are buying Zoom hardware,

so not using your computer for Zoom calls, but a specific dedicated Zoom telephone or

video conferencing system, in that case, you can configure the hardware to automatically

reach out to Zoom and then download

respective configurations. Now, the way this works is that anybody with a license to deploy

these devices is able to register those devices with Zoom, and then you basically just need to provide the Mac address of the device.

When the device then connects to Zoom,

it will just look up the address for its Mac address

and then follow the instructions for provisioning,

which of course may include running commands,

installing firmware, and other things that an attacker could abuse.

So the attacker would just sign up with Zoom, purchase licenses, then deploy a malicious

configuration for devices with Mac addresses that the attacker would like to attack,

...