Hello, welcome to the Monday, May 23, 2020 edition of the Sands and at Storms Centers Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Xavier ran into an interesting piece of malware that bypassed security stack and was luckily reported by the end user.

Now, the big question, of course, was why did the malware make it so far,

given that this particular end user was protected by several layers of different tools

that are commonly used to find malware like this.

And the malware itself was sort of well-known.

At least it was a well-known family of malware

and should have been detected.

But in this particular case,

the hacker played an interesting and very simple trick, actually, by embedding a

sip bomb into the binary. Sip bombs are short files that are construct in such a way that once

they're being decompressed, they become very large. Now, in some cases, they can be terabytes

in size. In this case, it was just 400

megabytes after expanding the file, but this was big enough in order to prevent an analysis

of the file. Overall, the original SIP archive was only 2 megabyte in size, which is certainly within range of what

you typically see for malicious attachments. Xavier's diary does cover how he went about analyzing

this particular sample and how he was able to figure out that it was one of these zip bombs.

So take a look if you want to know more details.

And Cisco patched an issue in its iOS XR software that's well related to the Health Check feature.

The problem here is that health check does implement

a Redis database and this Redis database is exposed to the world by default by opening TCP port

...