Hello, welcome to the Tuesday, October 26, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Al-Kobar, Saudi Arabia.

Yesterday, I mentioned how the DA published a tool to decrypt the command control traffic from Cobalt Strike using leaked secret RSA keys.

The traffic is typically encrypted, but a number of secret keys that are often used by malicious

Cobalt Strike installations have been leaked, and the DDA's tool is able to use these keys to then hopefully

decrypt the traffic. Now today DDA did publish a diary walking you through how this

decry works and how to use his tool. As a sample, DDA is using a packet capture that Pratt posted, and this packet capture

does show you the complete infection chain with Cobalt's drying additional malware, so Didi

was able to demonstrate his tool, and yes, luckily, of course, that particular traffic was encrypted using one of

the leaked keys that is incorporated in DDA's tool.

And this score is an open source discussion platform or some people may call it a bulletin board

has released a critical update to patch remote code

execution vulnerability. Don't mix it up with Discord, the online chat software. This is sort of more

your good old web-based bulletin board, but still important that you patch it.

We have seen a lot of attacks against similar products in the past,

whether it's, of course, good old PHP bulletin board or some of the similar products.

Definitely patch this if you're using the software.

Technical details regarding the flaw have been made

public and exploitation probably shouldn't take much longer. And we got yet another

compromised NPM package. This time it is UA Parcer.js. The package apparently had been downloaded several million times a week and is typically

used as the name suggests to parse the user agent.

The malicious versions and there are several versions of the package that have been compromised

...