Hello, welcome to the Monday, August 16, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Sevalde, Germany.

Guy this weekend took a look at some attacks that he observed against his honeypot,

hitting an e-discovery endpoint for exchange.

Now, this particular endpoint can sometimes be used to retrieve messages if this feature is

enabled and not properly secured. So no authentication may be required in this case. It's, I actually don't think

the particular CVE that Ghee suggests here that they are after, but that particular vulnerability

was patched just around the time when Gie first saw these scans starting. So there may be some

relationship here between that particular patch Tuesdays, patches and these scans. The scans are

originating from one particular network at Digital Ocean and that network is actually used by a group that identifies itself

as trying to identify organizations exposed services.

They're going by the name of stratoid.com, but don't really know much about that particular

company or organization.

And on Friday, we got yet another great walkthrough by Pratt through the latest version of Danabot.

Danabot is an infest dealer.

It's going after banking information typically.

And in this particular case, Pratt is walking you through how to analyze a Danabot infection that was triggered

originally by a malicious email. And we got a really interesting paper by several researchers

from the University of Maryland and the University of Colorado Boulder,

they looked at amplification attacks that could be caused by middle boxes.

Middle boxes are often thought of as proxies, but often they are actually not proxies in the

original sense, but really sort of more deep inspection firewalls,

...