0:00

Hello and welcome to

0:02

the Friday April 4th

0:04

2025 edition of the

0:06

Sands Internet Storm Center's

0:08

Stormcast. My name is

0:10

Johannes Ulrich and today

0:12

I'm recording from Jacksonville,

0:14

Florida. Today we got

0:16

another diary from one

0:18

of our undergraduate interns,

0:20

Crackeray Weber, did talk

0:22

about while analyzing URLs

0:24

collected by honeypots and

0:26

how to identify malicious...

0:28

traffic and distinguish it

0:31

from normal traffic to a

0:33

web application. Of course, honeypots

0:36

by definition really only get

0:38

malicious requests. So Gregory

0:40

did compare it to data

0:42

from a normal website. There's

0:44

some frequency analysis on it

0:47

and actually came up with

0:49

a model that looks reasonably

0:51

good in distinguishing. attacks from

0:53

non-attacks. I think still needs

0:55

a little bit of refinement

0:57

and maybe more data really

0:59

to validate it well, but

1:01

it's an interesting approach and

1:03

there of course is a

1:05

lot of work happening currently

1:07

doing sort of some more

1:09

automated log analysis

1:11

automated intrusion detection

1:14

using some of these machine

1:16

learning techniques. And the

1:18

next story falls in

1:21

the category never underestimate

1:23

the creativity of a

1:25

sophisticated attacker. In this

1:28

example, it's a critical

1:30

vulnerability in Evandi Connect

1:33

Secure. It was patched

1:35

in February. It's a

1:38

buffer overflow, but exploitation

1:40

is quite constrained for

1:42

that buffer overflow. initially

1:45

assessed that this particular

1:47

vulnerability is not exploitable.

1:49

Well, they were proven

1:52

wrong now apparently by

1:54

some actor that may

1:56

be associated with some

1:58

Chinese state actors. According

2:00

to Mandient, who wrote about

2:02

it, it looks like they

2:04

reversed the patch, a very

2:07

common technique of course, to

2:09

figure out what the exact

2:11

vulnerability was, and yes, then

2:13

came up with an exploit

2:15

that was applicable even though

2:17

these constraints of course still

2:19

applied. Interesting blog post, apparently

2:22

these attacks started in mid-March

2:24

and as of today Evante

2:26

also disclosed that this vulnerability

2:28

has actually been exploited. And

2:30

then another mark of the

2:32

web vulnerability this time in

2:35

WinRAR. So like all of

2:37

these decompression unpacking style programs,

2:39

while if the original file

2:41

was downloaded from the web,

2:43

they have to apply this

2:45

mark of the web to

2:48

all the files that they're

2:50

expanding. WinRAR usually does that,

2:52

but apparently doesn't do it

2:54

correctly if they're simlings involved,

2:56

and that's the war on

2:58

a bill it was addressed

3:00

here. not a huge deal

3:03

I think but certainly something

3:05

that you do want to

3:07

update given that this is

3:09

a relatively popular software and

3:11

well it's already sort of

3:13

a week into April almost

3:16

with that we are getting

3:18

close to the tax filing

3:20

deadline in the US April

3:22

15th Microsoft released a time

3:24

of morning here that well

3:26

They're seeing of course the

3:28

usual number of tax related

3:31

scams and definitely something that

3:33

you do want to share

3:35

with colleagues, particular less technical

3:37

colleagues, what is being done

3:39

here right now. Personally, I've

3:41

actually not seen a lot.

3:44

I don't think any really

3:46

so far this year, but

3:48

the typical things are fake

3:50

tax form, download sites, QR

3:52

codes being used to trick

3:54

users into going to malicious

3:57

sites. bit careful as to

3:59

what websites you're using for

4:01

a tax filing service. As

4:03

you remember, I think it

4:05

was two years ago, we

4:07

found like E file.com for

4:09

example being compromised around tax

4:12

filing season. So definitely go

4:14

with name brand websites that

4:16

you have used in the

4:18

past that already have your

4:20

data and so far. If

4:22

they're compromised, well your data

4:25

is lost anyway. but definitely

4:27

be a little bit careful

4:29

here who you are using

4:31

in order to file your

4:33

tax with that giving them

4:35

a lot of your personal

4:37

information. And talking about trust

4:40

and breaches. Oracle now apparently

4:42

has notified some of its

4:44

customers that their login credentials

4:46

may have been leaked. They

4:48

say this associated with an

4:50

older system and the data

4:53

that was actually being leaked

4:55

here was not current data.

4:57

Now the group that actually

4:59

leaked the data has disputed

5:01

that. Again, this comes back

5:03

down to how much do

5:05

you trust your cloud providers,

5:08

because in the end, that's

5:10

what cloud is all about.

5:12

You can't really verify their

5:14

information that they're giving you,

5:16

so you're trusting that they're

5:18

giving you the right correct

5:21

information to make sound decisions

5:23

with. assume something happened here

5:25

but of course we still

5:27

don't exactly know what and

5:29

what the extent is and

5:31

yes be ready that Oracle

5:34

may notify in private even

5:36

though their public statements at

5:38

this point don't really say

5:40

much about this particular breach.

5:43

Well that's it for today if you

5:45

got a minute please leave a good

5:47

review on any of the podcast sites

5:49

where you're downloading this particular podcast from

5:52

subscribe of course to automatically be offered

5:54

any new episodes being released Remember,

5:56

we also have have

5:58

like Alexa, for example,

6:00

you can get the

6:02

get that. We have

6:04

YouTube We had that, we

6:06

of other channels where

6:08

we do offer

6:10

this podcast. Thanks and

6:12

talk to you again on Monday.

6:14

Bye. Bye.