ISC StormCast for Wednesday, April 1st 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 1 April 2020
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Wednesday, April 1st, 2020 edition of the Sansonet Stormers. Stormcast, |
| 0:07.3 | my name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida. |
| 0:13.1 | Quampiers or Orange Warm is back in the news. This is some targeted malware that has sort of come back occasionally. |
| 0:23.6 | This time the FBI released an update stating that one of the targets of this particular malware is also the healthcare sector, |
| 0:33.2 | which of course currently has other things to worry about. |
| 0:44.3 | One of the tricks that Comompeers uses is to infect software vendors and then essentially via the supply chain enter the actual target network. |
| 0:48.3 | This is really tricky to defend against because essentially the malware arrives as part of an update from a trusted |
| 0:57.0 | vendor and this is of course always very difficult to then investigate and figure out whether |
| 1:03.3 | or not this update was legitimate. So your standard anti-malver is probably not going to save |
| 1:08.9 | the day here. Old versions of Guam Peers are really well recognized by anti-malware is probably not going to save the day here. Old versions of Guampeers are |
| 1:11.9 | really well recognized by anti-maliver, but you're probably going to see the next one also |
| 1:17.8 | indicators of compromise that were published for past versions don't necessarily apply for |
| 1:24.4 | the next one. So how can you actually detect something like this? Well, there are |
| 1:29.9 | sort of two things I kind of spotted. First of all, it has to connect to some kind of command |
| 1:34.2 | control server. So these connections may be able to be spotted. It is not very chatty. One |
| 1:43.3 | of the write-ups talked about just one connection a day, |
| 1:48.0 | so that's likely going to fly under the radar. But in the past, it has used some pretty |
| 1:53.3 | artificial domain names, also like domain names within the dot tk, top-level domain. That's something |
| 2:00.0 | that may stick out. Also, Quampere's likes to start |
| 2:03.7 | services on infected hosts, and then it also likes to reach out to admin shares, which may be probably |
| 2:11.4 | the easiest way to detect this particular infection. And while you're looking for it, you may find something else, |
| 2:19.4 | too. Just in general, when you're reading sort of write-ups about target malware like this, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.