Hello, welcome to the Monday, May 4th, 2020 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Last week I mentioned a post by Dede about Malware Bazaar, the site where you can download malicious samples now.

They, of course, encrypt those samples before you download them in order to not trip any kind of anti-malware,

but also to sort of protect the innocent here.

A little problem with the format of encryption they used.

The SIP encrypted files that they're

offering are encrypted using the AES algorithm. Nothing really special about AES, the advanced

encryption standard, very well established and good encryption algorithm. But what it means is

that in Python, the normal SIP file module is not able to decrypt them.

And that affected a lot of DDA's tools, so he's now switching over to Psipper, another

SIP library for Python, and that one is able to deal with AES encrypted files.

And Friday, I mentioned a vulnerability in the infrastructure automation suite salt stack.

Well, I also mentioned that it's probably not that hard to come up with an exploit for this vulnerability.

And sadly, well, I probably underestimated the severity here somewhat because over the weekend,

a number of sites very hit using this vulnerability. One of the most famous examples on a link

to their status page is the ghost blogging platform.

But a number of organizations are reporting active exploitation of this vulnerability and

at least scans for vulnerable systems.

So if you haven't upgraded yet, this is something that you really have to do today

if your salt server is exposed to the Internet.

...