Hello, welcome to the Monday, January 25th, 2021 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Xavier looked at malicious JNLP files. Now JNLP files, short for Java Network launching protocol files, are essentially

simple XML files that help you launch a Java applet. I don't really see them used a lot

in the wild, probably the most common time when I run into them legitimately is some

of these annoying older remote admin interfaces for servers and the like, where you download

a JNLP file in order to get a remote console access.

But of course, these less common files are often a target of attacks, in particular,

they're a little bit more targeted and sophisticated hackers, because, well, they may know

that you do have Java installed on your workstations, in particular if you need to access,

for example, these server remote interfaces, and as a

result, you may be a possible victim here.

In Xavier's case, it was actually a very simple downloader, so just getting past the first hurdle,

it downloaded malicious binary and then executed it.

Personally, I don't think I've ever run into a legitimate

GNLP file that arrived as an attachment to an email. Also, when you're downloading them

using a browser to connect to one of those server admin interfaces, it's usually coming from

an internal system. You hardly ever sort of do that

and probably shouldn't really use that connection method over the public internet. And Sonic Wall

took the unusual step to notify the public this weekend of a critical vulnerability in its SMA 100 series and

Net Extender VPN client version 10 products.

The urgency of this notice came from the vulnerability actually being used to breach Sonic Wall itself, which well, of course,

...