Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello, and welcome to the Thursday,
0:02
May 11 2023 edition of the science and storm centers storm
0:08
cast. My name is Johannes Ulrich, and
0:10
today I'm recording from Jacksonville, Florida.
0:15
In diaries today, we have the second
0:17
part of Russ's exploratory
0:20
data analysis with system
0:23
cyber attacks database. In
0:25
the first part, he talked a little bit about how to
0:28
use this open source database
0:30
of attack data and use
0:32
it a couple of different tools. This second
0:34
part now particular focuses on
0:37
some models that you can build around
0:40
it to sort of forecast though what's
0:42
going to happen with data. That's
0:44
of course always interesting
0:45
if you're looking for anomalies that
0:48
are deviating from this forecast
0:50
behavior. So some things like
0:53
exponential smoothing, Jupyter
0:55
notebooks in order to
0:57
actually conduct some of this analysis.
1:00
Lots of details here. If you're into
1:02
data analysis, that's of course, nice
1:05
to follow through with. And
1:07
this system data
1:09
set certainly sounds like a nice
1:11
resource to have some
1:13
realistic data to play with.
1:15
And remember back
1:18
in March, Microsoft
1:20
fixed a vulnerability
1:22
in Outlook that actually had already been
1:25
exploited at that point in time.
1:27
The big problem here was that that
1:29
hacker could send an email with
1:32
a custom sound URL. There
1:35
is a feature in Outlook, no idea
1:37
why that allows you to embed sounds
1:40
in your email. And just
1:42
by previewing
1:42
the email, then the system
1:45
would attempt to download this file
1:47
from a remote source, which you're
1:50
using SMB as your protocol here
1:52
could result in leaking NTLM
1:55
credentials. So this was
1:58
a problem, was a real problem.
1:59
in Outlook the root cause
2:02
here was actually how the Windows API
2:05
mapped URLs to different
2:07
zones and then in March
2:10
Microsoft patched CVE 2023 23397 problem
2:16
is they didn't completely
2:19
patch it. Akamai today published
2:21
a blog post about how the
2:24
original patch was still bypassable
2:27
and now Microsoft in
2:29
this
2:30
week's patch Tuesday so the May
2:33
patch Tuesday did release
2:35
another patch that fixed this
2:37
same vulnerability hopefully for
2:40
good this time. Lots of details
2:42
in the blog post about how the bypass
2:44
exactly worked the how to detect
2:46
possible attacks and I believe some
2:49
of the existing attack signatures
2:52
for the original vulnerabilities still
2:54
kind of worked here
2:56
and earlier this week several
2:59
intelligence and law enforcement agencies
3:01
have released a collaborative
3:04
document with details regarding
3:06
the snake malware this particular
3:08
malware has been around for about 20 years
3:11
it has been constantly being improved
3:14
and it's interpreted to center 16
3:17
of Russia's federal security
3:19
services the FSB the
3:22
snake malware is not so much about
3:24
exploits and such but it's really the infrastructure
3:27
then being used to exfiltrate
3:29
data
3:30
it's a peer-to-peer network so
3:32
it includes multiple nodes
3:35
around the world they're saying 50 countries
3:38
they detected nodes for
3:40
the snake infrastructure in so
3:42
not necessarily every
3:44
participating system here is sort
3:47
of infected it could also
3:49
just be something that was configured
3:51
and set up as a relay
3:54
the report has almost 50 pages
3:57
and lots of details about how to detect
3:59
the snake
3:59
malware and how to for
4:02
example decode its communications.
4:05
It uses HTTP, HTTP2 but
4:07
also some simple
4:10
TCP socket communication
4:13
order to exfiltrate data.
4:16
As part of this, the FBI also
4:18
released a tool that they call
4:21
PERSIS, the entire Snake
4:23
and Medusa analogies here that
4:25
disabled the snake network.
4:28
So basically deactivated the malware
4:30
on computers compromised with
4:33
a snake. However, there is
4:35
nothing done in order to patch any
4:37
vulnerabilities or such on the system. So
4:39
if you are infected with snake
4:42
while the malware itself is no
4:44
longer active, the system
4:46
may just get reinfected
4:48
again.
4:50
We've seen a couple of cases lately
4:53
where attackers are tricking
4:55
users into installing fake
4:58
Chrome or browser updates based
5:01
on error messages claiming to be a browser
5:03
error message. Well, it looks like
5:06
the people behind the Aurora
5:10
ransomware are now going a step
5:12
further and are actually emulating
5:14
the entire Windows
5:16
update experience. You know when you usually
5:19
have that entirely blue screen
5:21
and a little
5:22
progress icon
5:24
and it tells you it's working on updates. Well,
5:27
this is basically what they're simulating in a browser
5:29
window. And then they
5:31
have a little dialogue here that
5:34
tricks you into installing their
5:36
fake update looks pretty good in
5:38
the screenshots here. Malwarebytes
5:41
has more details in their blog
5:43
post.
5:44
And that's it for today. Thanks
5:47
again for listening and talk to you again
5:49
tomorrow. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More