Hello, welcome to the Wednesday, September 4, 2019 edition of the Sandstorm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Brussels, Belgium.

You've got another guest diary today from Jan Kopriva who wrote about an interesting variant of trickbot that he came across.

The interesting part here is the link file that's used to spread this variant of trickbot.

Link files usually will link to other files, but they also can contain content themselves and in this case in addition

to the link file itself there is data being appended to the link file at its end.

Windows pretty much ignores data being appended to a link file that's otherwise properly formed and in

this case the script within the link file will extract the next stage of the payload

from this additional data appended to the link file the code once extracted

from the link file will then download additional stages,

which turns out, as I mentioned earlier, to be yet another variant of Trickbot.

Security company Eclipseum released details regarding regarding vulnerability in some super micro

motherboard BMC or baseboard management controllers.

One of the features implemented by these controllers is virtual USB devices.

These virtual USB devices are essentially USB drives that can be connected to the server across the

internet.

You can use that, for example, to remotely reboot a server to a different operating system.

For example, to install a new operating system,

apply patches, or repair an existing operating system install, a feature that is quite useful

sometimes in particular if you're trying to rescue boot down server. But apparently,

authentication to connect these USB devices isn't implemented correctly

in some of Supermicros BMCs and as a result an attacker can connect their own USB device

...