ISC StormCast for Sunday, August 1st, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 1 August 2021
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, August 2, 2021 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. About to travel, so recording this a little bit early and remember that we have the contest going. |
| 0:21.6 | So before I announce any of my August locations, you may want to get your entry in. |
| 0:29.9 | Xavier ran into some interesting malware that actually used a registry file in order to trick the user into executing the malware. Registry files |
| 0:40.5 | themselves are not executable really, but what they can do is they can modify registry keys, |
| 0:48.4 | including like in this example, the Run Once key, that will then execute the actual code. In this case, it's a PowerShell script |
| 0:58.1 | that will download and execute additional Malware. Also sort of interesting here, the actual |
| 1:04.5 | malware is hosted on the Discord. CDN Discord, of course, is yet another chat application. And all of these applications, of course, have some kind of file storage. And that's what's being abused here. Now, why don't we see more malware that takes advantage of this trick? After all, dot rec files are not often flagged as malicious. Well, if you click on it, |
| 1:31.5 | you will get a fairly prominent warning that what you're going to do is you're going to |
| 1:36.5 | change the registry and busy or ask to confirm that that's what you actually want to do. |
| 1:43.8 | So that may scare users sufficiently to not necessarily allow it. |
| 1:49.0 | And we've got some interesting details from James Forshaw at Google regarding |
| 1:55.0 | vulnerability that affected Windows systems that had exchange installed. |
| 2:00.0 | These issues were fixed with the July update, |
| 2:04.9 | but there are some interesting details here that you should be aware of. So first of all, |
| 2:09.7 | the main problem here is when you installed Exchange on a system, Exchange did modify the |
| 2:17.4 | Active Directory schema with a ton of additional |
| 2:20.3 | classes, which essentially allowed any user to create accounts and more essentially compromising the |
| 2:29.7 | domain. So the vulnerability was patched. The reason I want to mention it is that these changes to the |
| 2:36.6 | active directory schema, they're not undone if you're uninstalling exchange. So if you installed |
| 2:44.5 | exchange on a system, maybe experimented with it, then later you removed exchange again. That's exactly when you may have problems. |
| 2:53.6 | You may not consider that patch is really important, |
| 2:57.6 | but definitely make sure that all systems are fixed, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.