meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Thursday, September 23rd, 2021

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News, Technology

4.9696 Ratings

🗓️ 23 September 2021

⏱️ 7 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Obfuscated MSHTML Exploits; Exchange Autodiscovery Leak; Nagios Vuln; Apple SDK Removes TLS1.0/1.1

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Thursday, September 23rd, 2021 edition of the Sansonet Storm Center's Stormcast.

0:08.5

My name is Johannes Ulrich.

0:10.1

And today I'm recording from Jacksonville, Florida.

0:14.6

The today has yet another document for you that attempts to exploit CVE 2021-4044 for the recently patched MSHTML vulnerability.

0:27.6

In this case, however, the attacker went to extra mile and added some additional obfuscation

0:34.6

scripts. Of course, no problem for DDI.

0:37.8

He has just the Python script for you in order to take care of this obfuscation.

0:44.3

The document itself, like I said, is a Word document.

0:47.3

Of course, Word documents are SIP files that contain XML documents, and XML may use use entities and you've probably all seen them

0:58.1

in HTML, where you have an ampersand and then a character code.

1:03.8

That's exactly what happened here.

1:05.6

The attacker is taking advantage of these numeric character references or entities in order to further obfuscate the document.

1:15.6

DDA has his numbers to string script that will convert this and then again make it very easy for you to actually extract the malicious URLs. One interesting side note here from

1:30.4

DDA is about the creation of the document. When you unsip it, you get current timestamps.

1:37.1

Now, typically in office documents, those timestamps are set to January 1st, 1980. Not so in this case, according to D.D., that's a pretty good sign that probably this started

1:49.1

out as a normal office document, but then one of those exploit tools that have been released

1:56.8

that take an office document and add the exploit to it were used in order to modify these files.

2:04.6

Also supporting this is that the timestamp is, well, just September 16th,

2:09.3

which is about the day when these exploit tools were released, so probably someone couldn't

2:14.8

help themselves and applied them to this document. And if you ever

2:20.2

connected an email client to an exchange server, you may have gone through the auto-discover feature.

2:28.0

You essentially give the email client your email address and your password, and it'll magically configure everything for you.

...

Please login to see the full transcript.

Previous episode | Next episode

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2025.