meta_pixel
Tapesearch Logo
Log in
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

ISC StormCast for Wednesday, November 4th 2020

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

SANS ISC Handlers

Tech News, News

4.9754 Ratings

🗓️ 4 November 2020

⏱️ 5 minutes

🔗️ Recording | iTunes | RSS

🧾️ Download transcript

Summary

Daily 5 min cyber security news summary. News, patches, vulnerabilities and trends in information and network security. Cobalt Strike and WebLogic; SaltSack; Adobe; Twilio NPM Brandjacking; GitHub Workflows

Transcript

Click on a timestamp to play from that location

0:00.0

Hello, welcome to the Wednesday, November 4th, 2020 edition of the Sansonet Storm Center's Stormcast.

0:07.9

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

0:14.1

Yesterday, I mentioned attacks that we are seeing against our honeypots installing Cobalt strike using the WebLogic CVE2020 1488 to vulnerability.

0:27.7

These attacks are ongoing and Renato has published a post now that at least at a time when

0:36.2

this podcast moves live should also be live on the

0:40.6

ISE website. Cobalt Strike is significant because it does point to attacks that then use

0:48.9

manual follow-up. So this goes beyond the sort of fully automated attacks that we have seen before

0:55.8

installing crypto coin miners and the like. For example, ransomware is often preceded by

1:03.9

Cobalt Strike. That's a tool that ransomware gangs like to then explore the network and install their ransomware.

1:15.1

And well, once you're done patching web logic, turn your eyes at Saltstack.

1:21.2

Saltstack is a platform to manage systems and we had a big vulnerability in this system back in May that caused some

1:33.5

large breaches for example a couple of Cisco servers and so were breached as a result of

1:41.1

this vulnerability this recent update fixes three vulnerabilities,

1:46.0

and while SaltStack hasn't added official severity rating yet,

1:52.0

well, two of them are high or critical and probably should be,

1:56.0

because they do allow unauthenticated access to the Salt API and via that to the SH client.

2:05.8

One of them is shell injection vulnerability in the SH client.

2:10.7

The second one sounds almost easier to exploit in that it says, well, it's a broken authentication. Any value for the e-auth or

2:20.1

token value would allow a user to bypass authentication and make calls to salt SSH. So as long as you

2:28.6

provide some token, you're good to go. The only mitigation offered for these S-H client vulnerabilities is to apply the patch and also to ensure that the Sault API has been restarted after applying the patch.

2:48.5

And with all of these critical sort of enterprise-ish vulnerability, it's nice to see that we also

2:54.6

have a very regular Adobe Reader and Acrobat patch that was released today.

...

Please login to see the full transcript.

Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.

Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.

Copyright © Tapesearch 2026.