0:00

Hello, and welcome to the Thursday,

0:02

May 11 2023 edition of the science and storm centers storm

0:08

cast. My name is Johannes Ulrich, and

0:10

today I'm recording from Jacksonville, Florida.

0:15

In diaries today, we have the second

0:17

part of Russ's exploratory

0:20

data analysis with system

0:23

cyber attacks database. In

0:25

the first part, he talked a little bit about how to

0:28

use this open source database

0:30

of attack data and use

0:32

it a couple of different tools. This second

0:34

part now particular focuses on

0:37

some models that you can build around

0:40

it to sort of forecast though what's

0:42

going to happen with data. That's

0:44

of course always interesting

0:45

if you're looking for anomalies that

0:48

are deviating from this forecast

0:50

behavior. So some things like

0:53

exponential smoothing, Jupyter

0:55

notebooks in order to

0:57

actually conduct some of this analysis.

1:00

Lots of details here. If you're into

1:02

data analysis, that's of course, nice

1:05

to follow through with. And

1:07

this system data

1:09

set certainly sounds like a nice

1:11

resource to have some

1:13

realistic data to play with.

1:15

And remember back

1:18

in March, Microsoft

1:20

fixed a vulnerability

1:22

in Outlook that actually had already been

1:25

exploited at that point in time.

1:27

The big problem here was that that

1:29

hacker could send an email with

1:32

a custom sound URL. There

1:35

is a feature in Outlook, no idea

1:37

why that allows you to embed sounds

1:40

in your email. And just

1:42

by previewing

1:42

the email, then the system

1:45

would attempt to download this file

1:47

from a remote source, which you're

1:50

using SMB as your protocol here

1:52

could result in leaking NTLM

1:55

credentials. So this was

1:58

a problem, was a real problem.

1:59

in Outlook the root cause

2:02

here was actually how the Windows API

2:05

mapped URLs to different

2:07

zones and then in March

2:10

Microsoft patched CVE 2023 23397 problem

2:16

is they didn't completely

2:19

patch it. Akamai today published

2:21

a blog post about how the

2:24

original patch was still bypassable

2:27

and now Microsoft in

2:29

this

2:30

week's patch Tuesday so the May

2:33

patch Tuesday did release

2:35

another patch that fixed this

2:37

same vulnerability hopefully for

2:40

good this time. Lots of details

2:42

in the blog post about how the bypass

2:44

exactly worked the how to detect

2:46

possible attacks and I believe some

2:49

of the existing attack signatures

2:52

for the original vulnerabilities still

2:54

kind of worked here

2:56

and earlier this week several

2:59

intelligence and law enforcement agencies

3:01

have released a collaborative

3:04

document with details regarding

3:06

the snake malware this particular

3:08

malware has been around for about 20 years

3:11

it has been constantly being improved

3:14

and it's interpreted to center 16

3:17

of Russia's federal security

3:19

services the FSB the

3:22

snake malware is not so much about

3:24

exploits and such but it's really the infrastructure

3:27

then being used to exfiltrate

3:29

data

3:30

it's a peer-to-peer network so

3:32

it includes multiple nodes

3:35

around the world they're saying 50 countries

3:38

they detected nodes for

3:40

the snake infrastructure in so

3:42

not necessarily every

3:44

participating system here is sort

3:47

of infected it could also

3:49

just be something that was configured

3:51

and set up as a relay

3:54

the report has almost 50 pages

3:57

and lots of details about how to detect

3:59

the snake

3:59

malware and how to for

4:02

example decode its communications.

4:05

It uses HTTP, HTTP2 but

4:07

also some simple

4:10

TCP socket communication

4:13

order to exfiltrate data.

4:16

As part of this, the FBI also

4:18

released a tool that they call

4:21

PERSIS, the entire Snake

4:23

and Medusa analogies here that

4:25

disabled the snake network.

4:28

So basically deactivated the malware

4:30

on computers compromised with

4:33

a snake. However, there is

4:35

nothing done in order to patch any

4:37

vulnerabilities or such on the system. So

4:39

if you are infected with snake

4:42

while the malware itself is no

4:44

longer active, the system

4:46

may just get reinfected

4:48

again.

4:50

We've seen a couple of cases lately

4:53

where attackers are tricking

4:55

users into installing fake

4:58

Chrome or browser updates based

5:01

on error messages claiming to be a browser

5:03

error message. Well, it looks like

5:06

the people behind the Aurora

5:10

ransomware are now going a step

5:12

further and are actually emulating

5:14

the entire Windows

5:16

update experience. You know when you usually

5:19

have that entirely blue screen

5:21

and a little

5:22

progress icon

5:24

and it tells you it's working on updates. Well,

5:27

this is basically what they're simulating in a browser

5:29

window. And then they

5:31

have a little dialogue here that

5:34

tricks you into installing their

5:36

fake update looks pretty good in

5:38

the screenshots here. Malwarebytes

5:41

has more details in their blog

5:43

post.

5:44

And that's it for today. Thanks

5:47

again for listening and talk to you again

5:49

tomorrow. Bye.