Hello, welcome to the Thursday, December 23rd, 2021 edition of the Sansonet Storms, Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

It's a brief podcast today. And, well, first of all, we do have a solution to our December Forensics Challenge, Brad Post's solution, and congratulations to our lucky winner who has been notified.

And of course, thanks to everybody who participated in this challenge.

And if you participated and wondered if you got it right, well, just

check Brad's solution that he posted. And remember back in September, one of the Microsoft

patch Tuesday patches that got us excited was, well, CVE 2021, 44444. It had a CVSS score of 8.8 and it was a remote code

execution flaw in MSHtml. This particular vulnerability has been heavily exploited and it relied on

the use of Microsoft cabinet or dot cap files. However, since then,

turns out that there is a bypass for the patch if a specifically crafted RAR file is delivered

instead and apparently this is now being exploited.

Apparently it's being used as part of a forum book, Malware campaign and well, that's

sort of a somewhat run-of-the-mill kind of Malware campaign.

So given that they're using it, the more sophisticated attackers have certainly taken notice.

However, they only apparently used it

for a short amount of time. And one problem with this modified RAR format may be that older

versions of the WynRRR utility are actually not able to open these files. So if you're still running old Winner Are,

then of course the attack will not work.

In particular, of course, these type of attacks

that go sort of after mass users,

they usually rely on old software running on systems

and are less successful and probably not

...