Hello, welcome to the Monday, November 23rd, 2021 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich. And today I'm quoting from Jacksonville, Florida. Apparently, office documents with malicious macros are still a problem, so Dede gave you a quick set of Yara rules in order

to find office documents quickly.

One is looking for Visual Basic code that's compressed and generated with the Visual Basic

for Application IDE.

So this is raw code that hasn't been modified yet.

The second one looks for Office document in the newer XML format.

That's of course then compressed as SIPP and then includes a VBA project.bin. So both of these

rules are looking for different types of office documents with macros. Sure, there are quite a few

documents that probably don't match, but for some quick triage, I'm sure you'll find these

rules helpful.

The British National Cyber Security Center released a notice asking retailers to double-check

their Magento installs.

Magento is Adobe's e-commerce platform, and it had a rich history of vulnerabilities,

including some relatively recent one that have often been exploited, for example, in order

to install credit card skimmers and the like. Well, if it's not too late for you, if you aren't

already sort of in your patch freeze for the like. Well, if it's not too late for you, if you aren't already sort of in your

patch freeze for the holiday business, double check whatever e-commerce platform you're

using, not just Magento. Make sure that you are up to date. I'm sure as business heats up,

ransomware will probably try to take advantage of that in order to add additional pressure to their demands.

Well, and then some news for the exchange users out there. We now have a public exploit for CVE 2021, 42, 321.

This vulnerability affects Exchange Server 2016 and 2019,

including if you're running it in hybrid mode.

...