Hello and welcome to the Thursday, April 23rd, 2006 edition of the Sands Inlet of Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Amsterdam, Netherlands.

And this episode is brought you by the sands.edu graduate certificate program in penetration testing and ethical hacking.

Today we got another diary by one of our undercredit sands.edu interns.

El Carrey writes about how their honeypot got compromised.

Initially it looked like, well, your run-of-the-mill compromise.

It did sort of check for crypto miners, tried to kill them,

which is very typical for sort of these mining scripts that take over Linux systems with weak passwords.

But then things kind of changed.

The script then went and looked for the T-Data file in the desktop Telegram folder.

This is a typical location on the Linux system where Telegram, the messenger, keeps their session data.

So the content of the T-Data file are essentially session IDs that are being

used to authenticate declined to telegram's system. This session data could then easily be

copied to another system and used to authenticate as the user. So it's essentially as valuable

as the username and password for a particular account.

Even worse, if the user had set up to factor authentication, doesn't actually matter if the attacker gets a hold of this session data.

Telegram remains to be a highly valued platform by criminals, in part because of its

easy automation, and of course, of its worldwide infrastructure that is relatively easy to use and

widely used, which of course makes it more difficult for organizations to block access to Telegram.

Still something that you probably should monitor and definitely look for access to the Tdata file

if you have some endpoint protection that can monitor this.

For Telegram users also it's important to keep an eye out for any odd sessions

...