Hello, welcome to the Monday, May 14th, 2018 edition of the Sansanet Stormsendors Stormcast.

My name is Johannes Orich, and today I'm recording from Jackstville, Florida.

Friday, Ramco wrote about some traffic that he saw hitting his honeypots.

Now, the traffic looks very much like command control traffic from the

NJ RAT tool. Now typically you wouldn't really expect a honeypot to receive

traffic like this unless you happen to inherit the IP address of a command and

control server. What appears to be a little bit different here is that three IP addresses

in China are scanning the internet essentially using this type of traffic. Not sure if they're trying

to find command control servers or if they're looking for infected systems, probably more the former than the later.

Now, some strings in this traffic implicate North Korea.

However, that appears really just to throw off investigators, potentially.

It's kind of almost too obvious to be actual North Korean traffic.

The IP addresses are consecutive, so there are three different consecutive IP addresses

that are scanning for this.

Web servers running on these IP addresses, identifying them as part of the

Y-Team Network Security Team, that according again to that website focuses on

internet-wide network attacks.

And Argentinian security researcher Alfredo Ortega published a brief video on Twitter showing

a possible vulnerability in the popular messaging application signal.

Signal of course is in particular used as an encrypted and secure messaging application.

And so far, this could potentially be a pretty big deal.

What it shows looks very much like cross-site scripting.

...