Hello and welcome to the Monday, August 25th, 2025
edition of the SANS Internet Storm Center's Stormcast. My
name is Johannes Ulrich, recording today from
Baltimore, Maryland. This episode is brought to you by
the SANS.edu Undergraduate Certificate Program in Applied
Cybersecurity. Well, this weekend only got a quick
update for you about some internal changes to the
backend of our Internet Storm Center and DShield.
websites. We're cleaning up some real old code here. Back
when I started 25 or so years ago with collecting the data,
it sounded like a great idea back then to sort of zero-pad
individual bytes of IP addresses so they all have the
same length, are easily sorted. Well, that actually in
hindsight turned out to be a real bad idea. It's something
that I should have fixed many, many years ago, finally
getting around to it. And the main thing that you'll see is
in some of the data feeds where we used this zero-padded
IP address format, you'll see the more normal dotted decimal
format for IP addresses. So that should actually make it
easier when it comes to post -processing some of the data.
If you still note some of the old format, let me know. It'll
take a while for all the sort of legacy data to really be
changed over. Well, sometimes it's interesting how attacks
that we are sort of used to from the Windows side are
bleeding over to other operating systems. The latest
example was documented by Cyfirma. They observed what
they believe to be a Pakistani hacker group targeting Indian
systems using, well, Linux dot desktop files. The target here
is in particular Linux BOSS, B -O-S-S. That's a Linux
distribution specifically popular in India. Now, dot
desktop files are not specific to that distribution. You see
them often in Linux. Linux. They're basically these
desktop links similar to what you have in Windows with dot
URL files, simple text files with essentially a couple
parameters. One of the parameters is what command to
launch when you click on the icon that represents this
particular file. They pretend this to be a PDF, a PDF, but
what you're actually clicking on then launches an executable
that basically takes over the respective victim's system.
Given that this is currently more used in targeted attacks,
it's not a huge problem at this point. But we do keep
seeing attacks like this trickle down to more sort of
commodity attacks. This is simple enough to pull off. If
attackers figure out this is effective, they'll probably
launch similar attacks on a more broader scale. And Kirill
Boychenko with socket.dev gives us another reminder as
how careful you have to be when you're running malicious
tools. The latest example is a Go module that claims to be an
SH Bruteforcer. The module is called Random IP SSH
Bruteforce. This tool definitely doesn't really have
sort of a legitimate use because specifically designed
to scan random IP addresses. So it's not a legitimate pen
testing tool that you could focus on a particular IP
address range. The reason Go is often used for tools like
this is because it's a threading capability and it's
really easy to create very fast scanning tools like this
in Go, whether malicious or not. The problem with this
tool is while it does what it's advertising that it is
scanning random IP addresses for user-in-passwords, it's
also exfiltrating the users, the attackers credentials to
the creator of the tool.
As a Microsoft 365 user, if you're setting up a new tenant
in order to facilitate testing of the new tenant, Microsoft
allows you to send email using the onMicrosoft.com domain.
Sadly, as are many things, this has been heavily abused
in the past. As for example, it's been used for spam or
phishing because it is associated with Microsoft and
is often mistaken for an official Microsoft domain. In
order to combat this Microsoft will now restrict how many
emails you may be sending using that particular domain.
This is being rolled out sort of in a step-by fashion
starting with very small tenants first. By December 1st
of this year, exchange users with less than three exchange
seats will be limited and it will be fully rolled out by
June next year, at which point users with more than 10,000
seats will also be affected by the same rate limiting. What
you're supposed to do instead of using on Microsoft.com is
using your own domain, which is usually as a legitimate
Microsoft 365 user what you would prefer over on Microsoft
.com just in order to represent your brand.
Well, and that's it for today. So thanks for listening.
Thanks for subscribing, liking and recommending this podcast
and talk to you again tomorrow. Bye.
