ISC StormCast for Thursday, February 4th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 4 February 2021
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, February 4th, 2021 edition of the Sandtonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida. Ever wonder how opening an Excel spreadsheet may end up launching Cobalt Strike on your system. |
| 0:22.2 | Well, Brad looked at a recent example of a malicious Excel spreadsheet that did exactly that. |
| 0:29.9 | You found it in a sandbox, and the first thing that the macro, of course, does as you launch it, |
| 0:40.4 | is it downloads what Brad believes is the System BC malware. System BC has been around for about one and a half years or so and has been |
| 0:48.8 | used as a proxy, but in this particular case it also then is being used to download Cobalt Strike, |
| 0:57.0 | but only if you are connected to an active directory domain. |
| 1:02.0 | This is behavior that has been spotted before, and for example, with the solar winds compromise, |
| 1:09.0 | this kind of behavior was often mentioned. And the idea here apparently |
| 1:14.5 | is that if you are connected to an active director domain, you're first of all less likely |
| 1:20.6 | sandbox that someone is using for Malware analysis. And also, you're more likely part of a larger organization that it may be |
| 1:31.8 | worthwhile to actually probe manually somewhat and possibly deploy some more customized |
| 1:37.9 | ransom error. Of course, Brad's Malar Analysis System is joined to an active directory domain |
| 1:44.1 | and that's why he was able |
| 1:45.9 | to spot that last part of the infection. And with everybody's eyes still being on solar winds, |
| 1:55.1 | solar winds did publish an update fixing three vulnerabilities, two of which are rated critical, one in the |
| 2:05.2 | Microsoft message queue, which can lead to remote code execution. Essentially, there is no |
| 2:10.7 | access control being done, plus the messages are then being deseralized in unsafe manner. So that way you can then trigger |
| 2:20.8 | deseralization vulnerability for a full remote code execution. We also do have today on Thursday |
| 2:29.6 | at noon Eastern time Special Lightning Summit scheduled, |
| 2:35.5 | where a few Sands instructors will sort of take their perspective |
| 2:40.0 | on the entire Solar Winds incident. |
| 2:42.9 | So hope to see some of you there should be a pretty exciting |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.