Hello, welcome to the Thursday, November 2, 2020, 23 edition of the Sans and its Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

The bad guys are never shy to try out a new file format if they figure it allows them to bypass some kind of protection

mechanism. The latest example is a file format known by extension as CPAC and the idea behind

this file format, the legitimate idea is that it's an append only archive. So you can

essentially add various versions to the archive and with that then also sort of roll back, basically

the state of the archive. But that's actually not what the attacker is interested in here.

They're really just looking into bypassing the standard detection mechanisms by using a file format that's not quite that common.

Well, easy enough, I think, to block the .cpaq extension in whatever mail filters, web filters and such you have.

Haven't really seen this being used legitimately.

The file that Xavier is describing here is also very large once it is unpacked, which of course, then also as

discussed earlier this week, does sometimes help in bypassing security controls. And as a reminder

as of today, CVSS version 4.0 is official. Pretty sure we'll see 3.1 and such around for a while longer.

Just as people switch over to 4.0. A couple advantages of 4.0 is sort of some cleanup in a language,

but also, for example, better distinguishing between passive active user interaction and a couple

things that should make the CVSS score more telling.

Of course, there is still a lot of sort of flexibility as we have seen in the past and how

these particular categories are then going to be applied.

It looks like someone pulled the plug on the Mosey. categories are then going to be applied.

It looks like someone pulled the plug on the Mosey botnet.

Now, we have in the past, of course, seen law enforcement do similar things.

This does not appear to be a publicly announced law enforcement action.

...