Hello, welcome to the Wednesday, January 20th, 2021 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich.

And the time recording from Jacksonville, Florida.

And looks like one after one, the hacker groups are coming back from vacation after we had Hank Gator last week.

This week, Brad is talking about quagbot.

Quagbot has not been seen since a few days before Christmas.

And well, on Tuesday, it came back with the latest wave of malicious spam.

The spam is typically a sip attachment. If you open this latest wave, you'll get an Excel

file that claims to be a docu sign document and then it tricks you into enabling macros by

telling you, well, in order to sign the document, you need to enable macros. By enabling

macros, it will then download a DLL that will load additional malware via HDPS.

As usual with Pratt's diary, you'll find all the evidence packet captures linked in the diary.

And researchers at the JSOF research lab found a number of vulnerabilities in DNS Mask. Dinesk Mask is a very popular

DNS forwarder. You often find it in small firewalls and routers, typically Linux or BSD-based

devices. And all it typically does is it will take DNS queries from a network and then forward it to either

a specific name server or just act as a recursive resolver.

The vulnerabilities discovered here are really falling into two categories.

There are a couple of issues that make it easy to spoof responses.

For example, the source port is not really randomized.

Only 64 different source ports are being used by DNS mask, leading to essentially

the well-known Kaminsky attack from a few years back.

In addition, Resolver is supposed to verify that a response, not just the query ID matches,

but also the query included in the response

...