ISC StormCast for Thursday, October 15th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 15 October 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, October 15th, 2020 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich. |
| 0:09.5 | And then I'm recording from Jacksonville, Florida. Brad, today gave us an update on what's going on with Shad Hack or TA551. |
| 0:20.7 | This is Malbert that typically arrives as a... with Shadhack or TA551. |
| 0:20.9 | This is Malbreda typically arrives as a password-protected zip file, and then in the email, |
| 0:29.6 | you do get the password for this zip file. |
| 0:33.0 | Now, once un-sipped, you'll see a Word document that then, of course, turns out to be malicious. |
| 0:40.1 | The passwords differ for each email, which of course makes it a little bit more difficult for anti-malver to take these attachments apart. |
| 0:49.3 | And encrypted zip files have actually become somewhat common in order to prevent data leakage in |
| 0:56.5 | some organizations. Of course, if you're trying to prevent data leakage, then don't include |
| 1:02.5 | the password in the email, but this may explain why people are falling for this and actually |
| 1:08.4 | are opening these emails. Brad states that he sees this particular |
| 1:13.5 | campaign mostly target non-English speakers, but in his environment, most of the English speakers |
| 1:20.4 | actually fell for this particular attack. Other than that, the particular malware still behaves pretty much like it |
| 1:28.6 | back in August when Brad was talking about that this one last. It opens a word document, |
| 1:36.5 | then it retrieves additional malware from a URL that ends in dot CAB. This is then a DLL that's the installer and it installs |
| 1:47.3 | more matter, which well in this case was Iced ID or Bockbot. And just a couple of updates |
| 1:55.3 | for Microsoft's patch Tuesday. Some one interesting tweet that pointed out that the two SharePoint vulnerabilities that allow remote code execution are probably actually the ones that you really should worry about in this set. |
| 2:09.4 | I actually tend to agree somewhat. |
| 2:12.2 | CVE 2020 16951 as well as 169522. Now, as far as my favorite goes, the ICMPV6 vulnerability about the corrupt |
| 2:25.8 | router advertisements haven't seen any proof-of-concent exploits yet. There's a fairly obvious fake |
| 2:33.4 | exploit going around. It's really just meant to sort of trick |
| 2:36.6 | script kitties that like to basically download random proof of concept exploits. Snort or Cisco has come up |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.