Hello, welcome to the Monday, August 28, 2023 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, when it comes to covert channels, there's probably no protocol that hasn't been attempted yet at some

point to be used as a covert channel. I always say it's easy to find a covert channel

if you know what to look for. The latest example is a command control communication that

Xavier ran into in some malware that may have been more intended sort of as a test.

But what's sort of interesting and unique about this malware is that it actually uses Postgres,

the database, for command and control.

The attacker apparently set up a Postgres database, and then the Malver will base just send SQL commands back to that database in order to exchange information or look for new commands.

This could go undetected in a network that's using Postgres routinely.

Of course, even if you do use Postgres routinely, this should still raise alerts

because this traffic does not appear to be encrypted.

And database traffic, SQL traffic should never really be sent in the clear.

And of course, when you are looking for covert channels,

definitely do not stop with signatures for known covert channels, but look for anomalies.

And then we also got some tips for macOS users from Xavier when it comes to identifying the owner of network connections.

And in general, looking more in depth into network connections, well, two commands here

that you should keep in mind.

The obvious and pretty well-known one, I think, is LSOF, typically used for files, but definitely can also be used for

network connections. And then a second one that's not as well known nettop. Nettop as the name

implies is like a top for network connections, like the good old sort of command line top program, and Netop will

list all network connections, including associated processes, and it can be made to sort of

...