Hello and welcome to the Monday, September 15th,

2000-25 edition of the Sands and under the Storm centers, Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu undergraduate certificate program in applied

cyber security. Did he this weekend published a brief post just confirming some of the scans

that I've observed for archives and also filling in a couple of other archive types that are being searched for.

Just a quick recap, this is all about our web honeypots.

What we are seeing is, or the last few months at least, an increase in scans for dot-sip

and similar archive files, often pointing that attackers are looking, for example, to retrieve

backups or such of configuration files that the system administrators may have left in the document

route.

Well, in addition to SIP files, Didi also saw dotRar, 7CGC and TAR files being looked for,

and the file names being, well, backup mostly, but we have also seen a couple of other

file names, so backup.back, backup.jsH, various files that basically point to the attacker,

hoping that careless administrators left these backup files behind.

And of course, they often contain credentials and other goodies.

So that's probably what they're ultimately after.

And on Friday, the FBI released another one of its flash alerts focusing on particular

threat actors.

There are actually two distinct threat actors that this latest flash alert does focus on both

Salesforce related.

The first one is just sort of your classic Salesforce, social engineering and

...