Hello and welcome to the Thursday, February 27th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, today we have a guest diary by one of our undergraduate interns, Robin Sar here.

Robin is writing about the use of ephemeral ports in order to download

Malver. This is something that happens quite common where the web server that the attacker is

connecting to in order to download additional Malver is not listening on Port 80,443, not even port 8,000, but instead on a very

high port, like 60,000 something or such. This is certainly something you look for, where you're

looking for anomalies, looking for HTTP traffic or HTTP or TLS traffic, for that matter,

on these high ports.

You have to be a little bit careful.

I've, in particular lately, more and more, seen it with web service and such,

where they sometimes listen on these high-od ports in cloud environments,

also, I think in part also because of the overloading of IP addresses.

People sometimes use these sort of random high ports.

They're even sometimes negotiated dynamically.

So where you first have some kind of handshake that then defines what high port is

being used.

This used to be more common like for a voiceover IP and for online gaming,

but I've sadly seen this more and more with sort of more mainstream applications as well,

which of course makes a detection of this kind of attack activity more tricky.

Still something you look for, and if you can definitely block outbound

connections on these high boards, again, just be careful that you're not disrupting any

...