Hello, welcome to the Tuesday, April 13th, 2021 edition of the Sandstone Storms, Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Did he and his post today took apart a piece of malware, actually the traffic collected from that Malver that Brad posted to his collection

of Malver traffic. The interesting thing about this particular sample was that it included

Cobalt strike traffic that was not encrypted. Usually Cobalt Strike traffic should be encrypted with AS, but well, if you're using the

trial version as this is what may have happened here, the traffic is not encrypted, and

it gives an easy simple insight into how the Cobalt Strike Beacon and Command Control traffic

works. So D.D.A walks you through some of that and also how to decode some of this traffic.

And given Cobalt Strikes capabilities, it's very likely that a less sophisticated attack,

or it doesn't want to pay the money to purchase Cobalt Strike or find a leaked version of the software,

will use the unencrypted trial version because, well, better to have an unencrypted command control channel than no command control

channel at all.

And Cisco published an interesting field notice.

Now, field notices are not security vulnerabilities, but since it does affect the ASA

5506 series security appliances, I consider it sort of security relevant. The problem here is

that after 3.2 years of uptime, these appliances will fail due to an SSD disk bug. The problem

is actually 100 million seconds, so 3.2 years translates roughly 200 million

seconds. Once you reach that many seconds of uptime, the SSD will fail. This is not just for

these Cisco uplines. Similar bugs were reported, for example, for some servers

that use the same type of SSD,

and firmware update to the SSD will fix it.

...