Hello and welcome to the Tuesday, April 9th, 2024 edition of the Sandsenet Storm Center's Stormcast. My name is Johannes Ulrich and today I'm recording from London, England.

In today's diary, we got a nice case study by one of our undergraduate interns looking at how the threat hunting team and the security

operation teams can work together in order to analyze activity and find potential compromises.

In this particular case, I think one of the important lessons to me at least is how important

it is to really close the loop when it comes to threat intel,

where the threat hunting team looks for the anomalies, find something, hands it over to secure the operations team that can then dive in deeper, figure out what exactly happens,

and then again feed that information back to the

threat hunt team to hopefully find new and exciting compromises. Well, maybe not that exciting,

and also, as in this case, find them in time before any significant damage happens.

Interesting little case study, and certainly thanks to Nathaniel Jakuts for contributing

this article.

And then we have, well, yet again, problems with new top-level domains.

This time it's the plus top level domain. Someone registered the domain

name Notepad. Plus and is using it now apparently to sort of impersonate the website for

the famous editor Notepad Plus Plus. This is currently not obviously malicious if you're going to Notepad.

Plus, you're going to be redirected to the official Notepad++ website.

But that, of course, could change at any time.

And it's possible that this initial redirection

is really sort of more a confidence builder where the bad actors, if they have in the end,

bad intention, are going to use traffic that's currently going through their site to either

profile visitors, maybe redirect

some of these visitors to a malicious site, or maybe just trying to establish some history,

...