ISC StormCast for Thursday, September 24th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 24 September 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, September 24th, 2020 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and today I am recording from Jacksonville, Florida. |
| 0:13.9 | Xavier was out hunting again and is sharing with us, well, what he brought back home. One item was an interesting, malicious word document. |
| 0:24.6 | What was sort of special about this word document was not just that it, well, installed |
| 0:29.6 | PowerShell on the machine. |
| 0:31.6 | It also updated itself with content pulled from a website. The idea here is that after the user opens the document and of course provides it with access to run macros, |
| 0:45.3 | the content of the document will be updated with content that's appropriate for the victim's environment. |
| 0:59.1 | So, for example, it could download content in a particular language, |
| 1:01.5 | which is the preferred language of the victim, |
| 1:08.0 | or maybe something that's related to the particular victim's business or industry. |
| 1:13.5 | This, of course, will make it less likely that a victim will report this malicious document to the security team. They're more likely going to believe that this was a legitimate |
| 1:20.3 | document. Well, and are you done patching all of your Windows systems for CVE 2020, 2014-72, the famous |
| 1:30.3 | zero log-on flaw and probably planning to take the rest of the week off because there's |
| 1:36.0 | nothing else to do? |
| 1:37.0 | Well, you may need to reconsider. |
| 1:39.8 | Turns out that Samba, the open source implementation of the Windows protocol, may be vulnerable as well. |
| 1:48.1 | Samba is implementing as part of its suite, the Netlog-on remote protocol, which of course is |
| 1:54.2 | the vulnerable protocol here. Now, turns out that back in version 4.8, which was released over two years ago in March of 2018, |
| 2:05.6 | the default setting for the log-on part was fixed to use a secure net logon channel. |
| 2:14.6 | The setting for this is server s channel equals yes, so that's based |
| 2:19.5 | a change that was made back then. But if you for whatever reason change this setting, then |
| 2:26.2 | you are vulnerable. Now in addition, Samba did release an updated version of Samba version version 410-18, if you're still running the |
| 2:37.9 | 410 branch, up to version 4127, if you're on the newer 412 branch. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.