Hello and welcome to the Monday, March 25th, 2004 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. 1768.P.I is a tool that the DDA developed quite a while ago to analyze cobalt strike beacons.

1768, by the way, is the melting point of cobalt, which led to the name of the tool.

It's not that year 1768 or so was special in any way.

Well, this tool keeps evolving as cobalt strike beacons keep evolving.

The latest update that DDA wrote about this weekend is what DDA calls experimental mode.

A recent sample that DDA looked at did use alternative data structures in order to store the

runtime configuration. That caused the old tool to crash. Well, this new tool in experimental mode

now does support this alternative configuration option. So hopefully that'll work.

Of course, D.D.A. is surely happy to hear if you are able to use this tool successfully.

For example, you will be able to extract, for example, the URLs it's connecting to and such.

It's really, really handy, in particular if you're dealing with incident

response and a cobalt strike beacon was used. And then you've got an interesting paper by

researchers from the Helmholtz Center for Information Security in Germany with details regarding

a new UDP-based application layer loop denial-of-service attack.

Now, these type of UDP-based amplification attacks have been around for a while.

We have seen them a lot being abused, for example, for DNS with some of these amplified attacks.

Traditionally, these attacks have used a small packet to trigger one large response,

in some cases several large responses.

Now, the new thing here is that we are actually dealing with a loop.

The way this particular attack works is that an attacker would spoof a packet to a vulnerable

service.

That vulnerable service will respond, and that response to an actual existing system will trigger

...