Hello, welcome to the Thursday, May 25th, 2017 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

Wanna Cry, of course, turned ransomware into big news, but we still have regular ransomware going around just like before. We do have a write-up here by

Brad for what he calls the Jaff ransomware and how it changed recently. Jaff actually makes the

victim work to get infected. It arrives as a PDF. The victim first has to then agree to open a Word document that's embedded

in the PDF and then start Word macros. The rest is standard technique. It then downloads

the encryptor and encrypts your file. Now it's called Jaff Ransomware because that was the extension it used so far.

But one of the things that changed recently was the extension. It's now WLU. The ransom also is

quite substantial. It's a 0.3 Bitcoin about, which comes down to about $800. Not sure if that's just because they're not

keeping up with the rise in Bitcoin price, but that's more than you typically see being charged

for ransomware. And as usual, Pratt is providing a long list of indicators of compromise.

This particular ransomware is distributed via email and in the samples that he looked at arrived as an invoice.

And that's also reflected in the subject of the email.

And the commercial open VPN access server apparently suffers from a

session fixation and HTTP response splitting vulnerability. Now this is an interesting and very

dangerous combination. In itself, session fixation vulnerabilities tend to be difficult to exploit,

in particular if a cookie is used to track the session ID unless there's also an HTTP response putting vulnerability that

can be used to inject headers into the response. And that's exactly what's happening here

with the OpenVPN Access Server.

The OpenVPN Access Server is a web-based admin interface for OpenVPN, and using this

vulnerability, it would be possible for an attacker to obtain credentials for this access server,

...