SANS Stormcast Friday, May 30th 2025: Alternate Data Streams; Connectwise Breach; Google Calendar C2;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 30 May 2025
⏱️ 14 minutes
🧾️ Download transcript
Summary
Alternate Data Streams: Adversary Defense Evasion and Detection
Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse.
https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990
Connectwise Breach Affects ScreenConnect Customers
Connectwise s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions.
https://www.connectwise.com/company/trust/advisories
Mark Your Calendar: APT41 Innovative Tactics
Google detected attacks leveraging Google s calendar solution as a command and control channel.
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender
Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge.
https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Friday, May 30th, 2025 edition of the Sands and at Storm Center's Stormcast. |
| 0:08.1 | My name is Johannes Ulrich, and this episode brought you by the Sands.edu Graduate Certificate Program in incident response is recorded in Jacksonville, Florida. |
| 0:19.5 | And today's diary comes again from one of our undergraduate |
| 0:23.8 | interns. And, well, it's a good summary of alternate data streams, basically what they are, |
| 0:29.6 | how defend against them, how they're being used offensively. Keep in mind that alternative |
| 0:34.7 | data streams aren't always malicious. There are some normal occurrences of alternate data streams. |
| 0:41.3 | Well, that's why they exist in the first place. |
| 0:43.7 | They were really initially sort of meant to sort of annotate files. |
| 0:47.1 | So one way, how they're being used, for example, is as part of the mark of the web |
| 0:53.8 | to basically define a certain file was downloaded |
| 0:57.5 | from the internet, and then you may find additional details, like, for example, the URL |
| 1:02.5 | that it is being downloaded from. |
| 1:06.4 | Anyway, if you're not that familiar with alternative data stream, it's a real good primer here |
| 1:10.5 | on what they can do |
| 1:13.1 | and how to better understand them. |
| 1:15.9 | And ConnectWise published an advisory stating |
| 1:19.1 | that they have been breached. |
| 1:22.2 | The problem with this is that, well, |
| 1:23.9 | one of their problems screen connect was apparently affected. |
| 1:28.6 | Now, they're stating only a small number of customers were affected, |
| 1:32.7 | but this is really sort of a current trend |
| 1:34.9 | where these remote access tools are often being compromised |
... |
Transcript will be available on the free plan in 10 days. Upgrade to see the full transcript now.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.