Hello and welcome to the Friday, March 20th,

2006 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the Sands.edu credit certificate program in cyber defense operations.

One of the questions we often get is whether or not any like global events are affecting what we are seeing in our logs.

Now, we have in the past often seen like disasters and such, for example, being used in scams.

Guy had an interesting sort of event in his cowrie honeypot that's a little bit related with what's

happening now in Iran. Essentially a message that the attacker added to the command line here that was executed in the honeypot that just stays magic payload killer here or leave empty.

And then Iranbot was here.

This is often kind of just use of as a little indicator whether or not the commands are actually properly processed. Sometimes,

strings like this are being also used to identify honeypots to see what is then actually

being returned by the particular shell that they attempt to log into. In this case,

it wasn't anything remotely sophisticated, just yet so of another

S-H prude-forcing attack. And sometimes attackers are really also just, you know,

using these strings for notoriety to maybe be recognized or as such. But yes, not everything

is sort of nation states if it does mention a nation as part

of a string in a payload like this.

Talking about Iran, there was one significant breach that was caused by threat actors associated

with Iran, and that was against the medical supply

company Stryker.

Now, I typically don't talk about breaches much unless there's sort of a lesson to be learned

or something actionable coming out of it, and that's what we have now.

...