Hello and welcome to the Wednesday, February 22nd, 2023 edition of the Sandtonet Storms, Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Xavier ran into another one of these sort of customized, branded fishing pages. The trick here is that the fishing page

is automatically adjusted based on the email address being entered into the page. So typically

here, the user will receive an email a message with a link that leads to the phishing page. The link itself includes as a parameter

the email address of the victim and then JavaScript on the page is loading a screenshot of a webpage

based on the victim's email domain. So if you're for, entering sands.edu email, it will automatically pull in a screenshot

of the sands.edu website, use it as a background, and with that, make the entire fishing page

more plausible.

The trick how this works with only client site and JavaScript code is a service

called Thumb.io. It essentially creates screenshots of random webpages and easily integrates

with JavaScript. So there is no server site code required for this, which of course makes it very

easy and simple to host respective phishing pages. I believe you had a page like this also last

year. Xavi also explains how to de-obuscate some of the JavaScript being used in this site.

And earlier this week, I talked about 40Net fixing 40 or something like this,

vulnerabilities, one of them a critical vulnerability in 40 NAC, CVE 2020-22-39-952.

Well, as promised, Horizon 3 now released a deep dive into this vulnerability,

including a proof-of-concept exploit.

To make things more interesting, exploitation is pretty straightforward of the vulnerability.

As part of the patch, a file was removed from Fortinac

that allowed upload of key files.

But these key files were then immediately unsypped

without any further inspection,

...