Hello, welcome to the Wednesday, March 3, 2021 edition of the Sandton and Storm Center's Stormcast. My name's Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, today we do have a podcast full with currently exploited serenaries and emergency patches, but I decided to first talk about something

very regular, and that's today's diary by Brad about a quagbot infection, because with all

the seradase, this is probably the most likely mode how your network will get compromised, and that's the good old

user clicking on an attachment, running a macro, and triggering quagbot. What Brad was looking

here in particular was, what if the system that's infected is connected to an active directory domain and

that's something that has really been shown up more and more lately where malware behaves

different in these sort of more corporate environments and yet again Brad saw Cobalt

strike being installed for follow-up activity.

If you're interested in the indicators of compromise and to walk through traffic yourself,

Brad, as usual, has the packet captures for you.

But let's say that you don't trust the cloud.

You want full control over your email in order to prevent attachments like this from being

received by your users.

Then you may still be running your own exchange server.

And this is where probably the biggest story for today comes in, and that's Microsoft

releasing a special update for exchange after also stating that these vulnerabilities

have already been actively exploited by what Microsoft calls the Haphnium group and currently associated

with the Chinese government.

Now, this has been exploited only against the very limited number of targets, according to

Microsoft and Microsoft's blog post has additional details about the particular vulnerability and how this particular group

exploited it and used it to install web shells.

...