Hello and welcome to the Wednesday, March 5th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Baltimore, Maryland.

Now, in our first scene URLs list, I noticed an interesting pattern where we had a host that is scanning routinely

for the last month or so for lead credential files like your usual.

.env files and such.

They added some new files to their repertoire, SMTP underscore token.jason and a second

file that is SMTP underscore keys.

The problem of these files is that, well, they likely contain SMTP server credentials.

It's not half to ensure what particular application these files are associated with, but

Googling comes up with the Jansen project

that is actually sort of a set-off identity management components,

and part of their SMTP server configuration refers to these files.

Interesting, also a little bit sort of side note that this particular system that is

scanning for these files now is associated with a distillery in Romania. Haven't made contact

with them yet, but I assume it's just another compromise system and it's going after various

credential files for about a month now.

And Jim today posted a second diary. This diary is just a quick notice that Jim updated his tool

macrobber.py. This tool is a re-implementation of the Macrobber tool that comes with Slufkit, just in Python.

And the latest version that was actually released a couple of weeks ago does fix some issues with following Simlings.

I've got a couple of vulnerabilities to talk about, so let's start with Soho's ad self-service

plus this tool is important, well, because the ad here doesn't stand for advertisements,

but for Active Directory, it allows users to manage their identity.

...