Hello and welcome to the Tuesday, November 15th, 2020 edition of the Sands and its Storms anders Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Jesse posted a quick diary with a Python script that he actually wrote to analyze some Connect attempts for his

Honeypot. Now, the Connect HP method is typically used by proxies in order to forward and

requests to a different web servers. And proxies are always sort of a hot target for these

internet-wide scans that we typically see in our honeypots. Now often they don't actually

bother with the connect method. Many proxies, often called transparent proxies, will forward

requests just based on the host name. But what Jesse saw is

he saw a significant increase in the number of connect requests. And summarized some of this

activity. Now, why are attackers looking for proxies? Some of it is sort of innocent in the sense that the attacker is just looking for some way to, for example, access a video platform that's blocked in their country.

I see a lot of requests like that, for example, in our DeShield data.

But at least one request that Jesse sort of pointed out

in his diary was looking for a Booter. A Booter is commonly referred to as a denial of service

platform, and of course they sometimes may need proxies in order to hide the true identity of their attacks.

So a lot of the times it's what I would consider sort of lower level or low skilled attackers

that are looking for proxies, but ever so often you may also run into an APT player or a more

advanced attacker who is really just sort of building up a platform in order

to attack other networks from.

It looks like there is one significant issue that multiple users reported with this month's

Microsoft update.

Bleeping computer has a good summary of it,

and apparently the problem here is that Kerberos sign-on

is no longer working if you are using an on-premise active directory server.

...