Hello, welcome to the Thursday, March 7th, 2019 edition of the Sansanet Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from San Francisco, California.

Amazing how melspan with resume attachments are still a thing, but my usual rule is if you do see a lot of emails

like it they're probably successful otherwise the bad guys wouldn't waste resources sending them

the latest example that brad looked at used the iced id or borg bot to actually infect the system after the user did open the

vert document and of course enabled macros what I think makes this particular

version so dangerous is Trickbot trickbot is a new payload that's being

downloaded by the malware and it's actually using the Eternal

Plu-Smb-esque exploit.

Now this exploit isn't supposed to work against modern versions of SMB, but we all know

there are still people with SMB version 1 out there and in this case it's going then straight

for the Active directory domain controller once

there of course the bot would have access to all of your infrastructure so in essence all it takes

is one insecure endpoint with a user opening this resume and then of course SMB version one being

enabled to allow Eternal Blue to spread

the malware to your domain controller and I hope in this particular chain of events isn't a

problem for anybody listening to this podcast a type of website that's typically quite dangerous to visit, and most people don't

realize it, are local community websites, like, for example, websites operated by local churches

and the like. The problem here is that they often have been set up years ago using one of the many simple

free content management systems like for example triple of course there will be yet another

exploit for triple and then these websites are sitting ducks because there is really nobody to maintain them.

I have been asked quite frequently by groups like this how to secure their websites better.

...