Hello, welcome to the Tuesday, May 19th, 2020 edition of the Sans and it's Storm Center's

Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida.

DDA did an interesting test, creating a SIP file with two malicious files. First of all, the ACAR signature, which is just the

signature used to debug antivirus, and secondly with the well-known tool mimicats. And then

he ran it through various antivirus engines and actually also uploaded to Virus Total.

And it turned out that it's a little bit hit and miss which signature triggers.

Most tools just sort of looking at it quickly seem to trigger actually on the ACAR signature,

which I believe also showed up first.

And it's a very typical behavior that we also have like a network inclusion detection where whatever signature triggers first is the one

that really matters, that then creates the alert. Of course, the trick here is that yes,

you know the file is potentially malicious, but seeing the ACAR signature

trigger, do you think, hey, this may just have been a antivirus test file or such, maybe from a

born-a-blis scan or a pen test, and you may ignore it, not notice that there's actually additional

more malicious payloads lurking in the same file.

And yesterday I mentioned how Edison Mail for iOS did mix up users or give users access

to other users' accounts. Well, looks like Edison Mail wasn't the only one this weekend to mix up users.

Outlook 365 apparently had a problem as well.

Now, doesn't look quite as severe as Edison Mail, but still, if you did perform searches on your Outlook 365 account, you may have retrieved data from other organizations,

Outlook 365 accounts. So interesting, but not sure exactly how widespread it was,

appears to have affected only a few users according to Microsoft, but really not a lot published

about the exact extent of this problem. And a couple of years ago, Apple introduced magic pairing

for Bluetooth devices that use Apple's proprietary chips.

...