Hello and welcome to the Friday, January 10th, 2020,

5 edition of the Sans and the Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, in diaries today, we have diary by one of our undergraduate interns Cody Hales.

Cody is writing about an infection with Redtail. Redtail is

crypto miner at its core. Has some interesting traits. For example, all the parts of the

crypto miner are copied to the system via SCP. This kind of makes sense because the initial

access is via SSH and a weak username and password.

Then the attacker is just uploading additional files.

Many other tools are using curl, W get or such to download files from malicious sites.

Of course, the advantage of the upload is the attacker doesn't have to set up a web server

to offer the malicious files.

And also, it may be a little more stealthy because everything runs over the encrypted

ZH connection, which typically isn't proxied or such, like HTTP, which or H-TS even, which is then often analyzed, may be able

to use to spot any malicious downloads like this. Interesting approach. What kind of reminded me

of some of the early days here at Sands and the United Storm Center was the password being used here at NIMDA.

I'm not sure if anybody remembers the NIMDA warm, of course 2001-ish, and I sort of just about started here at Sands.

I guess today it's still remembered at least in a form of weak passwords.

One of the highlights, if that's the right word of the December patch Tuesday, was a bug in Microsoft's implementation of LDAB, CVE 2024.

CVE 202449-112.

This vulnerability potentially allows for remote code execution.

L-DAP being behind Active Directory, of course, a highly critical system here.

...