Hello and welcome to the Tuesday, October 24, 2022 edition of the Sandsenage Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Augusta, Georgia.

Xavier today wrote up a Python script that uses Outlook.com as a covert channel. The use of popular cloud services

like this for covert channels and data X filtration, of course, has become more and more

popular cloud services often offer APIs that are easily scripted. And then, of course,

the wide use of these cloud services and enterprises

makes the cover channel traffic really sort of disappear in all of the noise of the

legitimate traffic to these services now in this case discovered by Xavier the command

control channel actually doesn't use sort of any fancy Outlook 365 APIs.

Instead, it uses good old email protocols.

The bot essentially just the polls for new emails via IMAP.

There's a specific account that's sort of being configured in that bot and the emails that are being read

will then contain any commands for the bot. Now, if there's any data that's coming back as a result

of the commands, that's then being sent to the same Outlook.com address via SMTP. Of course, the TLS versions of both

protocols are being used, making detection even more difficult. I think if anything, maybe the

volume, the number of requests over time for these IMAP SMTP connections could sort of raise suspicion for an analyst monitoring the networks

carefully, but overall this is the kind of a co-vart channel that is fairly difficult to detect.

And Apple today released one of its massive updates.

The most significant part was the release of Mac OS 13 Ventura.

iPad OS also received a new major version jumping straight from 15 to 16.1, which is now in sync with iOS, because also for iOS, we got

16.1, of course, the original 16 version came a little bit earlier for iOS a few weeks ago.

The update patches, I think I counted in 108 different vulnerabilities.

...