Hello, welcome to the Tuesday, June 21st, 2022 edition of the Sands and its Storm Center's Stormcast. My name is Johannes Ulrich, and today I am recording from Jacksonville, Florida.

Today's diary, I wrote up a suricata alert that I sort of caught my eye recently, and it's about a TCP option with invalid

length.

Truth being told, not really sure what this is all about, how bad it is, or what the attacker,

if it is an attacker, is trying to accomplish here, the symptom really comes down to

that it's SIM packets with an invalid short TCP

fast open option. The purpose of TCP fast open in short is to make TCP more efficient by

being able to send data on sin and have it processed right away if multiple connections are opened by a

particular client to a particular server. But in this case, the option is certainly used

incorrectly. Not really sure what the effect would be, there are other indications in the packet

that it is likely spoofed.

Just looking for input here.

If anybody has seen something similar, maybe anybody has seen outbound traffic like this,

it could be fingerprinting, could be some attempt at a denial of service,

or it could just be a defective TCP stack sending out these packets.

So let me know if you have any ideas what is all about.

And sample PCAP is also included with the diary post. Well, remember petted pottom, the Intelm,

really attack. We now have sort of a little variation of that. Yet another way

to exploit this basic vulnerability. So yet another reason to disable NTLM on your domain

controllers and extending extended protection for authentication and signing features.

This new variety of the attack was documented by Philip Tragovich,

and he used the Microsoft distributed file system in order to launch the attack.

...