Hello and welcome to the Wednesday, December 7th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Orich, and today I'm recording from San Francisco, California.

In Diaries today, we do have a quick write-up by one of our under-graded interns.

Brock Perry is writing about one of those bigwittes IoT router, whatever you want to call it, attacks that are calmly attributed to the Gafgit and Mirai botnets.

Hard to actually tell the two apart these days with them sort of boring features from each other

and lots and lots of sort of various hybrid

malware like this evolving

and also the next episode of Packet Tuesday

is out and available for you

if you're interested in it. This time I'm talking

about TLS and I'm taking a client hello packet apart.

Well, have you ever deployed sort of a JavaScript library on your website,

maybe to track users, some free open source stuff,

but then kind of lost interest in really looking at all the stats,

and so you really just forgot about it.

Apparently, that's something that happened to users of the free JavaScript library cockpit.

Cockpit has been discontinued in December 2014, and recently Group re-registered a domain name used by Cockpit.

The domain name Web DashCockpit.jp.j.jp.j. was then used to serve malicious JavaScript,

very much sort of what we know calmly as Magecard group,

in that this JavaScript was then used to collect keystrokes on websites

that still were loading that now defunct for multiple years tracking a script. Apparently 40 different

e-commerce sites were compromised or data from those websites was compromised via this malicious script.

...