Hello and welcome to the Thursday, April 18, 2024 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

In diaries today, we got a neat, malicious PDF that Xavier took apart, and he explains a little bit about how these type of

PDFs work. You probably have seen it. It looks like a blurred document with a clickable

button and then once you click on the button it will download the malicious file in this case

a zip file that turns out to be agent Tesla.

Xavier explains how to identify the URL that you're actually being clicking on,

and also how this annotation feature works,

that attackers are taking advantage here of in order to create these particular PDFs.

The reason behind these PDFs is twofold. First of all, the PDF itself is not really malicious.

It just includes a link to this malicious file.

Secondly, by using a PDF, instead of doing this, for example, as an HTML email,

the particular attack looks more plausible for a user to click on, and also is somewhat more

difficult to identify for various defensive software. And then just a quick update here on the Palo Alto issue. Palo Alto now states that

disabling telemetry is no longer considered sufficient in order to block the attacks.

Palo Alto did come up with new threat prevention rules, but in order to apply them, you do need to subscribe to the threat

prevention for your particular system. The patch works. It's really just the mitigation of turning

off telemetry that is no longer considered sufficient. And it sort of makes sense if you think about

it that the directory traversal in the code that is no longer considered sufficient. And it sort of makes sense if you think about it,

that the directory traversal in the cookie,

in the session ID,

really allows an attacker to write arbitrary files to the file system.

...