Hello and welcome to the Monday, May 13, 2024 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from San Diego, California.

The DEA today had a diary with a follow-up to his diary from last week about using NSLuckup in Windows to debug DNS.

And so a little detail that's often overlooked in DNS and that trailing dot at the end of a host name.

A host name contains multiple labels and they're separated by a dot and that trailing dot is actually the root zone.

If you omitted, then it's not necessarily a complete host theme and a DNS suffix may be added in Windows.

You can configure what suffixes may be added. That's typically your

default domain name, the domain name of the network that you are connected to. So a little important

detail, you better don't forget. This is also important if you, for example, ever ended up editing a bind zone file or something

like this and you forgot that training dot then the domain name will be added at the end which

sometimes is what you want but often it then sort of leads to these double domains at the end of

the host name.

And the Cybersecurity Infrastructure Security Agency CISA published Joint Advisor is part of the Stop Ransaver effort regarding BlackBasta.

BlackBasta has recently been seen attacking health care providers in particular.

What's to me always the most interesting here is the initial access vector.

In this case, spare fishing quagbot often delivered via spare fishing.

Quackbott, of course, being far from a new Malware family,

and then also as of February, this group is exploiting the connectwise vulnerability.

In some cases, they're also exploiting valid credentials, meaning essentially credential stuffing, so credentials they found

somewhere else, and of course, multi-factor authentication would be a good way to prevent some of

these attacks.

The advisory certainly makes a worthwhile read and should give you some ideas as to how to

...