Hello, welcome to the Thursday, October 22nd, 2020 edition of the Sandstone Storm Center's Stormcast. My name is Johannes Ulrich, and that I'm recording from Jacksonville, Florida.

Our handler, Daniel, has been tracking some fairly peculiar, malicious emails. Now, they come in the form of, well, it looks sort of like

a shipping notice. Many of them are in all caps and attempt to impersonate logistics or

shipping a company that actually exists. So that's usually used as the from address. Also,

a couple of sort of details within these

emails appear to be correct or somewhat legitimate, like, for example, the name of particular

ships that are being mentioned in these emails, as well as sort of the ports that these

ships frequent. Also, it's interesting that these emails are typically sent on weekdays from 2 to 4 AM UTC,

which Daniels suggest may indicate that these emails were sent in the morning in Bangkok,

Shanghai, sort of these time zones, but a lot of the mail servers being used are located in Malaysia,

and of course, a sort of globally distributed set of mail servers.

Otherwise, the attachment that comes with these emails typically is ancient Tesla, so that's

spyware that typically does exfiltrate stolen data via HTTP or over email.

Now, the email here uses SMTP over TLS or SMTPs on port 587 TCP.

And the NSA released a report this week of the exploits being known by Chinese state-sponsored

actors. Another name for the report may have been that, well, Chinese state-sponsored actors

are using the same vulnerabilities that everybody else is using. And of course,

Wal-a-Blis we have talked about here at LinkedIn this year,

like for example, all these perimeter security devices that I keep talking about,

Pulse Secure VPN, F5 Big IP, Citrix, ADC,

ADC vulnerabilities, and then of course the standard set of sort of client side of vulnerabilities as well.

But maybe you can take a look at the report and double check your organization for these

...