Hello and welcome to the Monday, May 1st, 2023 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich and today I am recording from Jacksonville, Florida.

Let's start with Diaries from this weekend.

We got one on Friday from Xavier about doing a quick indicator of compromise scan

using Docker. The tool that Xavier actually uses here is Locky. It's a free version of

the Tor scanner. While Locker is usually just installed on a Windows system, it's a Python script,

so you don't really need

Windows for it. And Xavier walks you through the process of setting up the Docker container

with Lockhe and then doing a scan with it.

In the second diary over the weekend, we had the D.D.Edy write about how to de-obuscate scripts?

In this particular case, JavaScript that was using UTF-16 encoding.

In this case, the trick was really just to remove the sort of non-asky, the non-translatable characters,

and D.D.A. walks you through how to do this,

and how he then figured out what kind of malware it is,

and also what it used for its particular command and control server.

And if you are using an email address that is provided to you by AT&T or one of its other

companies like SPC Global.net and such are other domains that may be affected by this, well,

your email account may have been compromised due to a bug in AT&T's email system.

The root cause here was that attackers were able to set up special authentication keys for any user without properly authenticating.

You may have run through a procedure like this yourself,

where you do have an email account that requires two-factor authentication,

and in order to allow a legacy email client to connect to this email account,

...