Hello, welcome to the Tuesday, December 7, 2021 edition of the Sansonet Stormers Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida. Good reminder from Xavier today based on a recent tweet

to be careful in your instant handling procedure to use out-of-band communication.

The particular incident that Xavier is referring to is a tweet by an unknown person that showed

a screenshot of an organization's Slack channel as they were analyzing a Ragnar Locker infestation.

It appears the attacker was able to access a workstation used as part of the incident response

team via RDP. And as a result, of course, they were able to stay ahead, step of the instant response team as they were able

to monitor their communication. Setting up a communication to be used during an instant like this

is not trivial and something of course that requires some advanced planning. You should consider

all systems that are connected to the corporate network

or have been connected to the corporate network recently compromised. So often what you're left

with is essentially, well, good old phone calls to each other, maybe actually get into the same

room and talk to each other in person or maybe set up some

kind of conference call bridge that's not part of the usual infrastructure used by the organization

because a lot of these conference call systems have some kind of web-based interface or whatever

that may have been accessed using a

compromise system so attackers may have access to things like access pins. If you do set up

conference calls, also make sure that individuals who join the call are identifying themselves.

And talking about ransomware, one of the last lines of defense, typically when you're dealing

with Ransomber, is backups.

So it's somewhat timely that Kasea released a critical update to its Unit Rends,

a backup blinds, before version 1055.

...