meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Thursday, February 25th, 2021

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

News, Tech News

4.9754 Ratings

🗓️ 25 February 2021

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. GuLoader/Remcos RAT; vCenter RCE PoC; CNAME Tracking; Cisco MSO Vuln;

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Thursday, February 25th, 2021 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich.

0:09.8

And I'm recording from Jacksonville, Florida. These last two weeks, we had a number of high-profile

0:17.1

takedowns of Malware groups, like, for example, Emotet, but you probably noticed

0:23.3

there's still plenty of malware arriving in your inboxes, and Brad took a look at a recent

0:31.4

sample. What he found was G.U. Loader. Now, this sample arrived in an email that claimed to come from Lowe's Canada.

0:42.8

And looks like the attacker here went through the lengths to actually register a domain

0:48.9

to impersonate this home improvement chain Lz-ca.org.

0:56.2

Did hatchment?

0:57.0

Well, it was a word document masquerading a little bit as an Excel file, and for a change,

1:03.3

it actually did not rely on macros in order to execute the malicious code.

1:18.1

Instead, it used an older vulnerability, CVE 2017, 11882, so approximately four-year-old vulnerability that will then execute the malicious code and download

1:26.6

GEO loader. Geoloader itself then, of course, can do whatever it wants, once it execute the malicious code and download GULTER.

1:28.3

Geoloader itself then of course can do whatever it wants once it's installed.

1:32.3

In this case it ended up installing Remco's RAT, the remote admin tool that then provides the attacker with persistent access to the compromised system. So any system that was patched within the last

1:47.6

three to four years should be safe from this particular attachment. And remember yesterday I

1:55.4

talked about a patch for VMware V-Center and told you you better update quickly. Well, I hope you followed the

2:03.6

advice because proof of concept exploit is available and additional details about this particular

2:11.3

vulnerability. Researcher Mikhail Kaczynikov, who originally discovered the vulnerability

2:17.4

and reported it to Vienbeer,

2:20.7

did publish a blog post with quite a bit of technical detail after a proof-of-concept remote code

2:27.7

execution exploit for this vulnerability was made publicly available. Exploitation is also not really all that difficult.

2:36.1

The root problem here is an unauthenticated file upload via a Rest API.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.