Hello, welcome to the Monday, June 6, 2020 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

On Friday, we got a diary by Ksavi illustrating an interesting trick how sometimes sandboxes may be evaded.

Now, a lot of Malware defenses these days do rely on sandboxes.

So once a suspicious file is received, it's being copied to the sandbox and then executed,

and then some automatic mechanism is looking for behavior that indicates that the sample is malicious.

But quite often as the sample is being executed, the name of the file is changed.

This is done also in part to protect the sandbox from odd file names.

But what Xavier found was that the samples that

he looked into sometimes are actually checking if they still retained their original

file name. And if they can't find their original file name, they will refuse to run. This is a little

bit like trying to detect if you're running in a virtual machine or in a debugger,

but of course there are so many different sandbox technologies out there,

instead of implementing detection techniques for every single one.

This is a little bit more generic and apparently works quite well.

Last week, I mentioned new vulnerability in Adelation's Confluence product.

On Friday, Alation did release a patch and, well, not too early.

There is also an exploit available.

Rapid 7 has a pretty good write-up with a lot of

details that help create exploits. Also, there have been multiple sidings already of the

exploit being used against at least honeypots. I just looked as I started recording and seeing a couple hits with an exploit against

our Honeypot network from Saturday. So time is running out to apply the patch. It's probably

...