Hello, welcome to the Wednesday, February 16th, 2020 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Quick diary today from Xavier looking at some of the bots that were hitting his mail server, kind of interesting

breakdown on where the bots are coming from and what onboarding systems.

They're running interestingly.

There appear to be a couple that are apparently associated with industrial control systems,

but, well, shouldn't really be a huge surprise that they get

infected as well and then used as bots in order to send Malware to mail servers, or in this

case just trying to brute force mail server credentials.

And Sophos has an interesting blog post with some details of new developments regarding the Skirlwaffle Malware.

This malware has first shown up September last year, and it has sort of specialized on vulnerable exchange servers.

So it uses the well-known proxy log-on and proxy shell vulnerabilities and exploits

in order to attack exchange server.

Once they have access to the exchange server, they'll inject themselves into email

threats and try to spread either malware or even then conduct a business email compromise.

Now, lately, apparently what is happening after the attacker is ejected from the exchange

server, so they got detected and the fraudulent accounts got removed.

They're now continuing to basically use the knowledge they gathered while they had access to the exchange server

to inject emails from look-like domains, and apparently at least in one case,

they were successful in getting a victim to trigger money transfer, which was luckily

blocked by a participating bank. So keep that in mind if you are running into an exploited

exchange server that even if the

attacker no longer has access to it, they may still use some of the knowledge they collect

...