Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader 

Since early September, SentinelLabs has been tracking the rapid rise of a new malware loader that previous researchers have dubbed “SquirrelWaffle”. The tool has been utilized in multiple global attacks since then and is being likened to Emotet in the way it is being used to conduct massive malspam campaigns.

In this post, we explain how SquirrelWaffle works, what to look out for and how to protect your business from the latest malspam loader.

What Is SquirrelWaffle Malware?

SquirrelWaffle is a recent malware loader that is distributed through malspam – malicious spam mail – with the purpose of infecting a device with second-stage malware such as cracked copies of the red teaming tool Cobalt Strike and QakBot, a well-known malware that started life as a simple banking trojan but has since evolved into a multi-functional framework with RAT (Remote Access Trojan)-like capabilities.

Researchers have noted how the infection chain may begin with an email reply chain attack, in which a threat actor neither inserts themselves as a new correspondent nor attempts to spoof someone else’s email address. Instead, the attacker sends the malicious SquirrelWaffle email from a hijacked account belonging to one of the participants. Since the attacker has access to the whole thread, they can tailor their malspam message to fit the context of an ongoing conversation. Given that the recipient likely already trusts the sender, there’s an increased likelihood of the target opening the maldoc or clicking the link. Email reply chain attacks were a hallmark of Emotet campaigns and contributed a great deal to its success.

SquirrelWaffle first appeared in early September and defenders have noticed an uptick in incidences of infection since then. SentinelLabs researchers have also noticed that the malware drops unique payloads even from the same infection chain and that file path patterns are continuing to evolve.

How Does SquirrelWaffle Infect Devices?

Initial delivery of SquirrelWaffle as a first stage loader often comes courtesy of a phishing email with either a malicious MS Word or Excel attachment or embedded link leading to a zip-compressed malicious document download. These maldocs contain VBS macros which execute PowerShell to retrieve and launch the SquirrelWaffle loader.

The initial SquirrelWaffle files are written to disk as prescribed by the malicious PowerShell script responsible for their retrieval. For example, early clusters of malicious documents dropped SquirrelWaffle using this set of file names:

SquirrelWaffle infection following the launch of a poisoned Excel file

Importantly, no two runs of the same malicious document will produce the same SquirrelWaffle payloads. On each execution, the payloads written to disk will have unique hashes.

C:Datoptest.test - 8d7089f17bd5706309d7c6986fdd1140d6c5b4b2
C:Datoptest1.test - 52452f6f0ab73531fe54935372d9c34eb50653d8

"C:UsersOneDrive - folder, IncDesktopgrade-2086577786.xls"
C:Datoptest.test - bce0e9e1c6d2e7b12648ef316748191f10ed8582
C:Datoptest1.test - 8ba7694017d1cea1d4b73f39479726478df88b20

"C:UsersOneDrive - folder, IncDesktopgrade-2086577786.xls"
C:Datoptest.test - 8aec96029b83d3b226c8c83dd90f48946ee97001
C:Datoptest1.test - 8262cd7029f943a7b6199b5a6c51ec19e085c3b7

SquirrelWaffle has been observed using more conventional file name patterns as well, such as those with .dll extensions:


In early November, we observed yet another pattern, indicating that the malware authors are continually iterating:


SquirrelWaffle Shares Code With Other Attack Frameworks

SquirrelWaffle, in common with many other malware samples, uses a custom crypter. Doing so is attractive for many reasons, not the least of which are obfuscation and anti-analysis to prevent researchers from developing strong indicators of compromise for detection.

Researchers have shown that SquirrelWaffle uses the same custom crypter as other well-known attack frameworks including Ursnif, Hancitor and Zloader. This is used, among other things, to hide the malware’s Command and Control (C2) URL.

Upon infection, SquirrelWaffle can download a Cobalt Strike payload with .txt extension and execute using the WinExec function. The other likely payload that may be downloaded by current SquirrelWaffle infections is Qakbot.

Below we can see process injection into explorer.exe from a SquirrelWaffle infection.

If infected with Qakbot, the malware will attempt to extract email data from the host.

From the above image, we can see the C:UsersEmailStorage___ pattern. The “collector_log.txt” contains a record of the malware’s enumeration and exfiltration process.

How To Protect Against SquirrelWaffle

The SentinelOne platform detects and protects all customers against SquirrelWaffle infection. In the video demonstration below, we set the agent policy to ‘Detect Only’ to observe the infection in action. In ordinary circumstances, customers would use the Protect policy to prevent execution.


Cybercriminals are quick to come up with new loaders to team up with other groups that will help deliver a variety of payloads to achieve maximum financial gain. SquirrelWaffle is the latest such loader, currently being used to deliver Cobalt Strike and Qakbot but which can easily pivot to dropping any payload the operators wish. While SquirrelWaffle is certainly not yet anywhere near as prevalent as Emotet in its heyday, all the hallmarks are there of a campaign and infrastructure looking to grow.

If you would like to know more about how SentinelOne can protect your business against SquirrelWaffle and other threats, contact us for more information or request a free demo.

Example SHA1 Hashes


Podcast: “Roided-out Sitting Duck, Part 2” with Juan Andres Guerrero-Saade

Principal Threat Researcher at SentinelLabs, Juan Andres Guerrero-Saade (aka JAG-S) talks to Rachel Lyon and Eric Trexler in the second of a two-part To the Point – Cybersecurity podcast. If you missed the earlier episode, you can catch Part One here.

In Part 2, JAG-S tells the story of the MeteorExpress wiper attack on the Iranian railway system and explains how the U.S., while the most powerful cyber nation in the world, is also one of the most vulnerable. He goes on to discuss cybersecurity careers, how to get started and the importance of finding mentors once you’re in the industry.

Click ‘play’ and enjoy the ride!

“Roided-out Sitting Duck” – Part Two Audio automatically transcribed by Sonix

“Roided-out Sitting Duck” – Part Two
this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Welcome to the Point Cybersecurity podcast. Each week, join Eric Trexler and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and industry transformation initiatives impacting governments, enterprises and our way of life. Now let’s get to the point.

Rachael Lyon:
Hello, everyone, welcome to to the Point podcast, I’m Rachel Lyon here with co-host Eric Trexler. Eric.

Eric Trexler:
Rachel, this is going to be a great part two with JAG-S. The stories from last week continue. Yeah, we’re going to move to the Middle East and we’re going to talk about a little modern day story that just happened in July of twenty twenty one. It’s going to be fabulous.

Rachael Lyon:
Yeah, I’ve so many questions, too. I can’t wait. It’s been so hard to wait a week for this episode. I don’t know about you, but I have been so excited for this one to come out.

Eric Trexler:
It’s good to tease the listeners.

Rachael Lyon:
Exactly, exactly. Because how often do you wait for things anymore? Because when you do though, it’s it’s horrible and painful.

Eric Trexler:
Agreed. So anyway, with that, let’s kick off Part two with JAG-S from SentinelOne.

Rachael Lyon:
Yes, let’s do it. Absolutely. We talk to you about Kenny. You know, attackers kind of finding the rhythm or finding their way. You know, you recently wrote about this Iranian train attack, and I love that you guys called it The Meteor Express.

Juan Andres Guerrero‑Saade:
Yeah, it’s it’s the last bastion of creativity and threat intelligence. Sneak in a nice name.

Eric Trexler:
Love the naming. I just I mean, the creative naming just gets me going. It’s awesome.

Rachael Lyon:
But I love everything about this and I don’t want to steal your thunder. But you know, I love that there is kind of like this epic kind of trolling by the attacker and you know how they were directed to, you know, kind of who they were directing to call, you know, with plates or, you know, in the signage and all the things. So I please, please tell, tell our listeners more about kind of what you learned about this.

Juan Andres Guerrero‑Saade:
Ok, so this is a it’s a kind of a complicated story and a really interesting one. And I don’t know when this is going to go out, but like it continues to develop. So there are some things in there that I want to touch on that are not in the report and that it’ll probably keep evolving by the time the plays into this.

Eric Trexler:
Like, how much time do you need? We’ll record it, Rachel and I’ll be quiet, we’ll sign the NDAs.We’ll release it w hen you let us know.

Juan Andres Guerrero‑Saade:
No, let me. I’ll be as forthright as I can be, but I think, you know, this is going to keep evolving beyond today. So. We got into this thing about Meteor Express, right, then there’s a wiper attack in Iran and the sort of the railway system. And it’s particularly funny in a sense because you mentioned that this epic troll, right, they wipe all these systems, they take down the ability to coordinate these trains. And all of the displays have a picture that says, you know, trains delayed due to cyber attack. For more information, call this number. And I think it’s like six, four, four one one or something like that. And it turns out that it’s the supreme leader’s office in Iran. So I think, you know, epic troll, absolutely hilarious. Now that being said, I, you know, I try to keep the glibness in check because the other element of this is, well, somebody just deployed a wiper on critical infrastructure somewhere. So like, that’s the part where like, we’re kind of laughing and it’s Iran. So everybody finds everything acceptable when it’s, you know, when it’s Iran, North Korea, certain places, you’re like, Oh, fair game, but something, you know, I feel like in a sense, someone who is willing to do something that had it happened here, we would have been right over the Moon about right. We sorry, we would have been very, very upset about pretty pissed off. Well, I guess

Rachael Lyon:
That’s a question, too. Is it? I mean, why there, you know, is it a test? Is this like a test kind of kitchen activity or?

Juan Andres Guerrero‑Saade:
I don’t think so. So I think this is where you know, OK, let’s cover the basic ground and then we’re going to go into kind of what’s going on with this right? So there was a report out of an Iranian AV company of some of the components that they saw. And just based on some of that, I was able to rebuild the entire attack chain. You know, thankfully, we were able to find all the files and figure out what happened.

Eric Trexler:
I mean, there’s an Iranian AV company.

Juan Andres Guerrero‑Saade:
There is, I believe it’s called Padvish or something like that.

Eric Trexler:

Juan Andres Guerrero‑Saade:
Well, you have to think about it. Most companies can’t do business with Iran, right? If we wanted to create the EDR and make it interesting. Ok, yeah. It puts them in a particularly disadvantageous position, to be honest with you. You know, most countries, this is a the inside ball, but most countries want to develop their own navy because nobody trusts foreigners. Right. Then they try to do it and they realize it’s a monumental task. And they, yeah, they they claw back.

Eric Trexler:
And who’s buying Iranian AV software? I mean, there’s

Juan Andres Guerrero‑Saade:
An American market, either. Probably only Iran. Maybe a few other Middle Eastern partners, but

Eric Trexler:
Who thought their trains would run on time if run at all? So, I mean, Anyway, well, it’s.

Juan Andres Guerrero‑Saade:
No, no. I think you know, they’re getting.

Eric Trexler:
Yeah, she’s back to acting. Go ahead, JAGS.

Juan Andres Guerrero‑Saade:
We’ve gotten their teeth kicked in enough for the past few days. But you know, again, there’s the glib side of this. There’s the funny end of it. And then there’s a really serious one, right? Like, they’re being ravaged by COVID. They have this horrible political system that that’s showing all kinds of of terrible abuse of folks and so on. And this story actually transcends into that. So again, getting to the basics, right? We rebuild this toolkit. It’s an interesting wiper. I sort of got the detail of everything, and the wiper is called a meteor. That’s why we call it Meteor Express. I think it’s particularly important to if you discover something, get to put your stake in the ground and name it artistically. So we call it the Meteor Express, and it’s a really interesting set of activities because first of all, it doesn’t relate to any known threat actor we have seen at the time. And also it’s. Oddly clunky and poorly deployed and yet there are elements of it that are very, very well done. So to me, it’s not clear cut to say, Oh, this is a very advanced, sophisticated threat actor. It is not, but it’s definitely not somebody that just came out of the woodwork and figured out how to use a computer yesterday. Like, there’s something happening here.

Eric Trexler:
It’s probably an Israeli college classes like a final project or something.

Juan Andres Guerrero‑Saade:
Well, you know, what’s funny about that is, I think a lot of this is where we get into some of the complicated parts of threat intel, right, it’s very easy for this to get politicized, it’s very easy to kind of misstep, and I’ve written a couple of papers about this because it causes a lot of anxiety for folks, and I don’t know how many people had seen this activity before I wrote on it. But I do know of some folks that looked at it and said, Oh, this is probably Israel, and they backed off. And I personally don’t like that. I try to, you know, I’ve worked on American stuff. I’ve worked on European stuff. I’ve worked on, you know, Israeli stuff in the past. And I really don’t like the idea of just backing away from something because you think that it’s a friendly country. And in this case, I’ll be honest with you, if you asked me for my gut instinct, I don’t think it’s that. Yeah, it’s underestimating the diversity of threat actors in the Middle East to think that every semi-sophisticated attack in Israel, and to be honest with you, the quality of stuff coming out of Israel is drastically higher. It is.

Eric Trexler:
Maybe it was like a middle school class project. Well, let me put it, let me ask you a question because I saw it in the press, and I’ve only as far as I’m involved. I only know what’s in the press and probably not even half of what’s in the press, because I’m not spending a lot of time on this. But the first thought that comes to mind is. Who the hell Rachel decides to attack and the Iranian train system? I mean, who even thinks about Iran and the trains?

Rachael Lyon:
Well, that’s my question, too. I mean, that’s why I wonder is, was it a test kitchen kind of scenario, you know, where you kind of like it’s, you know, kind of low hanging fruit to go?

Eric Trexler:
It seems like an oddball target, right?

Juan Andres Guerrero‑Saade:
It absolutely is. Yeah, an oddball target, but that’s where it’s OK. So I put on my research and then checkpoint came out, and I believe it’s Itai Cohen and a couple of other folks over at Checkpoint picked up on it and wrote their own follow-up, and they found something interesting. Based on this meteor express stuff, they are able to find earlier versions of that wiper that are called stardust and comet by the attacker. And. Ok, let’s try to follow along here because it gets complicated.

Eric Trexler:
Right, I’m doing my best. I’m a podcast, but we’ll do OK.

Juan Andres Guerrero‑Saade:
I just wish we had a whiteboard right now because I think the timeline is really important. So Check Point finds these and they realize that in the code, there’s a reference to a group called Indra. And Indra is a quote-unquote hacktivism group that’s interested in attacking Syria, and they claim a couple of Syrian hacks. It’s they’re really interesting targets. It’s like a company that does money exchange services that they accuse of laundering money for the Quds Force and a private airway company that’s doing private jets for Soleimani and other folks in Iran. And so very, very interesting, very well chosen targets. And then I like to point this out because if you ask me and this is where kind of checkpoint and I stand in direct opposition, they think it’s hacktivism. I do not. We have seen a lot of examples of nation-state groups pretending to be hacktivists. The North Koreans did it. They’ve done it several times with Guardians of Peace for Sony. They used to do the WHOIS team. There are new Romanian cyber army. They’ve created a bunch of fake fronts for their activities, and so have the Russians. The Russians did Guccifer 2.0 and Poland cyber breakout cyber caliphate. Yemeni cyber army. They’ve created a bunch of these things where they make it look like it’s organic hacktivism, and in reality, it’s the same old threat actors that you can think of, and they’re using fake fronts to justify their hack and leak operations, right? Rather than saying, Look, we’re we’re the GRU providing you with stolen info, it’s well, no, we’re patriotic hackers out of Ukraine or whatever.

So maybe I’m overly primed to look at it this way. But to me, this has all the markings of a fake hacktivism front. And the reason I said, you know, this is a continuum. This is a story that continues to develop and will probably develop further beyond when this podcast is revealed or released. It’s because. What Checkpoint finds to me is a specific time to limited campaign. You see a couple of attacks in Syria with this toolkit under the banner of Indra in November 20 20 in Drug Goes Dark. They stop posting on Twitter, they stop posting on Facebook and they stop using Stardust and comet the way that they were coded. Instead, we see Meteor being coded with no reference to Indra in January of 2021 and deployed in July of 2021, along with a couple of other mysterious hacks in Iran that we haven’t been able to investigate. The latest of which is Evin Prison, and I don’t know if you guys got to see the news out of this. It is really interesting and kind of terrifying, right? So a hacktivist group quote-unquote hacks Evin Prison, which is believed to be one of the darkest places on Earth. It’s basically where the Iranians take political prisoners and whatnot, and they steal tons of footage from the security cameras inside of this prison, publicly release it and then lock up and wipe the machines. And in that footage, you can even see the machines being locked up and wipe. You can watch the operators in that prison basically see this happening. And frankly, you know, I can’t make a solid assessment because I’m not doing either on those systems and I don’t have any samples. It looks like the same functionality as media or express that is not enough for anybody to make a solid assessment. I’m not going to put my hands in the fire about it, but I’ll say that it looks very similar. And the day that this hack is announced, we get a new account called EDR Ali, a new hacktivism front that claims the Evin prison hack and does the same megaton see a massive dump of stolen stuff and continues to have a social media presence and promises more attacks. Wow. So me my speculation. Is we’re seeing a group adopting fake activism fronts first for a campaign in Syria now for a campaign in Iran. And to me, that’s foreign influence. To me, that’s an established group of some sort that is basically whitewashing their exfil through seemingly, Oh, this is organic activism. People have had enough. They’ve decided to do this hacking. We would all love to believe that activism is alive and well, and maybe it is in places like Belarus, but I don’t think that that’s the situation here. That’s my honest take on it.

Eric Trexler:
So who attacks an Iranian-trained system? Right? An Iranian prison? Well, you just I’m trying to put that together like motivation, you know? Yeah, it’s the motivation disruption.

Juan Andres Guerrero‑Saade:
Let’s put it this way. Again, folks tend to immediately think about, for example, Israel in this context, but not only is Israel there, but the United Arab Emirates is there. Bahrain, Jordan, there is. Lebanon has been shown to have their own cyber espionage capabilities. There are quite a few well-resourced groups and in particular, I mean, we’ve been seeing a lot come out about the Emirati cyber program between stuff with dark matter and everything that happened post Cyber Point contract and the amazing stories of Chris being put out on Reuters about karma and how former NSA contractors had basically been helping them build capabilities in the Emirates. I’m not pointing at them in particular, but I’m saying we’re oversimplifying the Middle East. If we think that it’s really one one attacker and a one victim in either direction. I mean, the Iranians have been pissing plenty of people off with their own wiper attacks for years now, including the South. But who

Eric Trexler:
Do you? Who do you hurt if you hack the prison and the train system?

Juan Andres Guerrero‑Saade:
Well, I think in a sense, you in a sense what you are doing is chipping away at the legitimacy of that government. It’s not that you are really going to disable them, it’s that you’re essentially showing this general uncoordinated weakness that comes along with being unable to stand up to some ephemeral force. Worse yet, when you can claim that it’s locals right, the idea that your own people are against what you’re doing is part of the propaganda force that comes along with the hacktivist group.

Eric Trexler:
So then if you take the train system, which a lot of people use. Right. I’m assuming the administration, the people running the company of private cars and planes and helicopters and things, but the people are on the train system. They use six four four six four four one one. The phone number, I guess, for the supreme leader’s office. Right. So I understand that in the prison showing what’s going on in this very dark place, maybe you start to pull it together. I guess you’re right. I mean, your question does make them look bad.

Juan Andres Guerrero‑Saade:
You’re putting into question the legitimacy of it. I think it’s important in a sense, because it’s a lot easier to deny obscure hacks that happen inside of, you know, the ministry. Apparently, they also hack the Ministry of Urban Development and Roads or something. Yes. Yes. You know, it’s like, I mean, who knows, right? They can just say nothing happened. And the Iranians often do they either that government will either come out and say, Oh my God, we are being pummeled by cyber attacks, and it turns out to be nothing. Or they’ll say nothing happened here. And it turns out that a whole ministry got taken down. So in a way, targeting something that normal everyday people rely on is a fantastic way of just showing egg in their face, right?

Eric Trexler:
This is not powerlessness. The powerlessness of leadership. Right, right, right.

Juan Andres Guerrero‑Saade:
It’s something that you began with with Stuxnet. I mean, we’re talking about part of the and I hate to invoke the ghost of Stuxnet because it’s brought up in every conversation. But part of the power of Stuxnet was psychological. Once the Kim Zetter wrote such a fantastic book on this, if folks haven’t read it. Countdown to zero days. Probably the best threat Intel story out there. Kim Zetter Fantastic journalist for this, but part of the effect of Stuxnet was they were doubting their own competence. They were firing scientists. They were chasing their own tails, replacing equipment. It’s a psychological effect to say, Oh God, we just can’t get our act together to get this done. And now we’ve got something similar. You know, we’re experiencing it in the U.S., too, right? The ransomware epidemic for enterprises is definitely making us look like this horrible. I think I use the expression royd it out sitting duck, right? Like we were the most powerful cyber nation on Earth. But we’re also just getting slammed all day and we can’t do anything about it. And you know, the show situation in Iran.

Rachael Lyon:
I know that’s what I laying down..

Eric Trexler:
Sitting duck with Jags. But you’re right. I mean, they’re incredibly vulnerable, easy targets, and we can’t do a lot about them.

Juan Andres Guerrero‑Saade:
It’s I mean, it’s a sad situation to have what is arguably the most power in cyberspace and to have your hands the most tied out of anybody else, right? The U.S. is

Eric Trexler:
The most vulnerable too

Juan Andres Guerrero‑Saade:
Yeah, we’re all that all comes down to dependency on technology, right? It’s such an enabler. It’s such a source of our power. And we have the largest corporations economically, the largest corporations on the planet. They’re all technology companies, right? And that shows the great promise of America is largely built on the tech sector right now. So if if you can chip away at our ability to depend on that, you know, I think that’s part of the ridiculousness of the arguments that we have about cyber war and particular cyber on cyber, right? It’s like, Oh, if we get hit, then we’re going to retaliate with cyber. It’s like if you take down some systems in Russia or in Iran or in China, I mean, the trains aren’t working. We’ll walk like there’s fine. If you do that in the U.S., like look at what happened with Colonial. They didn’t even hit the OT system. They just took down the billing and I had to pay like seventy five dollars to fill up my tank here in Miami, even though that pipeline doesn’t even reach here. But what about the people who

Eric Trexler:
Are putting gasoline into into plastic bags?

Juan Andres Guerrero‑Saade:
Oh yeah.

So to show some problems,

Juan Andres Guerrero‑Saade:
Our collective wisdom is not what it what we’d like it to be.

Eric Trexler:
That could be a different show title.

Rachael Lyon:
Yeah, we had someone there was someone in Texas that had filled a trash trash can in the back of a pickup truck, and there wasn’t even a top on it. So I’m like, How do you how do you drive it?

Juan Andres Guerrero‑Saade:
Well, you’re just getting high on the way out on figuring out how you one

Eric Trexler:
Spark, though you’re you’re you’re your firework.

Juan Andres Guerrero‑Saade:
I don’t know what to tell you.

Eric Trexler:
Yeah, we’re not going to fix that one today. So. So Jags, I think we’re going to turn this into a two parter. The stories are awesome.

Rachael Lyon:

Eric Trexler:
How did you get? How did you get into this career path? Like you say, this is where I want to go.

Juan Andres Guerrero‑Saade:
So my career path is super unlikely and I’m incredibly fortunate to have ended up where I did. I was a. Philosophy major, and that was my whole thing, I was just going to kind of stick to really obscure German philosophy that nobody ever wants to read. And somehow that that turned into a lot of intelligence analysis work, which I really enjoyed and eventually being on the receiving end of a lot of cyber attacks and know having no local expertise, you know, develops into a fascination for something that was not immediate to my skill set, but that was interesting enough to be worth the dedication and devotion to try to learn and learn and learn. And I credit my time at Kaspersky a great deal. I had the pleasure of working in global research and analysis team for four or some years, with amazing researchers like Coson Ryu and Kurt Baumgartner and Brian Bartholomew, and all these fantastic folks who took the time to teach a lowly analyst how to do things. And it’s just been getting into trouble ever since, right? Like I mentioned, I I don’t. I lack the common sense, or at least the survival instinct to not look at certain things. And it has led me down some really interesting roads

Eric Trexler:
That but you’re not you’re not getting a job as an obscure German philosopher at Kaspersky on that right? I mean, like, where are you working? Where you determine like that path? Because we have a we have a tremendous amount of need for people like you. Yeah, not not Rachel. And I was like, How do you get started? Because we get a lot of people want to know. How do I get into the business, yes, like, what’s that journey?

Juan Andres Guerrero‑Saade:
So I think my journey isn’t necessarily the one that I would immediately prescribe for others, but I would say I am definitely not an outlier in the thread intel research space in the sense that there’s a lot of folks that I know a lot of folks have never graduated high school. They got their GED and they just, you know, went into this because it’s what they loved. And I know people that are PhDs in physics and just people that are just all over the spectrum who just love puzzles and love doing this kind of research. And I think that should be encouraging, particularly to folks who have a mind for critical thinking, who have a mind for everything that would make you a good intelligence analyst or somebody who’s into international relations and geopolitics to say, Look. Just because you don’t have the technical information right now doesn’t mean you are barred from the space. I’ve gone on the record and I did this at a Carnegie Mellon lecture, which was probably not the nicest thing to do for a tech, a purely technical department. But I’ve gone on the record to say that I would rather hire a really smart international relations or intel analyst and teach them the technical stuff the way it was taught to me. Rather than take a course grad and try to get them to think more broadly and try to understand motivations and and cui bono and international relations and what happens between Iran and the Emirates and so on. It’s so much harder to broaden a technical person’s thinking than it is to take a broad minded individual and teach them technical things.

Eric Trexler:
It reminds me we had George Randall on, I don’t know, a year or two year and a half two years ago. Probably he’s from an air talent acquisition perspective, and he wrote a book on. The talent weren’t he talks about one of the major themes is higher for characteristics, train for skill, don’t hire for skill, right? And one of the stories they use in the book is Navy SEAL Story. Like every Navy seal, who’s a Navy seal already went through buds, the Navy SEAL training program. You can’t get non Navy SEALs with Buds qualification, so you’ve got to look for the characteristics you can’t say looking for a navy seal to be a navy seal because they already are.

Juan Andres Guerrero‑Saade:
Right, right.

Juan Andres Guerrero‑Saade:
You’ve got to look for the people like you out there that have those characteristics. So when you say you’re an obscure German philosopher, like, that’s what you like, that was your interest. Yeah, to me, having having actually worked with and, you know, I was managing, overseeing, I guess, a malware, an advanced malware lab capability. They were all over the place. I mean, we provided Xboxes, Nerf guns, you know, crazy wacky lunches. But but the the spread of a variety of the people in the lab who you’re working with Marco Figueroa right now, I mean, Marco is not normal, let’s be honest, right? But he’s he’s amazingly capable and brilliant, right? You’ve got to look for people who have characteristics. Yeah, we’re going to put a job ad out for looking for obscure German philosopher.

Juan Andres Guerrero‑Saade:
Right? Like, it doesn’t work. Do not do that.

Eric Trexler:
So that’s why I ask about your journey, because I think it’s I think it’s something that there are a lot of people across the globe who would be really good. Yes, at this business,

Juan Andres Guerrero‑Saade:
I think so. There’s a couple of things here. One of them is it’s a shame that we don’t have a good talent pipeline. I think a lot of universities are kind of failing to put this together. And it’s just it’s a shame that we don’t have a way to really churn out talent because we need it. I mean, I am not worried about job security. Nobody in this space should be worried about job security. We have enough work for ten times the amount of people that we have here, so please bring them along, right? The issue is right now we’re kind of living in the apprenticeship model. You’re if you’re lucky enough to go somewhere with great folks, then you learn from them how to do things. And then someday you, you pay it forward and you teach somebody else how to do things. And that’s tough. But the corollary for me is look at something like Bellingcat, like Bellingcat is fantastic. It’s brilliant. It’s I’m not

Eric Trexler:
Familiar with Bellingcat. Forgive me.

Juan Andres Guerrero‑Saade:
Oh my god, you’re missing. You’re missing out, you’re missing out.

Eric Trexler:
So you educate me. That’s why we do the show.

Juan Andres Guerrero‑Saade:
Bellingcat is a UK collective of citizen journalists. Ok? Basically, people who really like are passionate about some obscure subject and decide to use open source intelligence to figure out what the hell’s going on. They’ve done a really notable work, for example, investigating the downing of MH 17, the poisoning of the Skripals and the U.K. they’ve done a lot of very significant work. They’re also helping to track, you know, human trafficking victims like anything that they can basically take some leads of information and use open source intelligence to just figure out what’s really going on, identifying videos of victims in Africa. You know, what country is this? Who did this? You know, it’s fantastic because honestly, there isn’t a there really isn’t any gatekeeping about who can be a part of this effort. It’s very easy for folks to come in and say, You know what, I just really care about this. I’m going to learn the tools and techniques, and I’m going to contribute and other folks are going to check my work. And if it’s worthwhile, we’re going to publish it. And I think there should be a similar mentality when it comes to threat intel and infosec, which is to say, Look. Start your blog, start your journey. Tell us what you’re working on. Show us what you’re learning. And it’s I think, yeah, you’re not going to put out a job requirement for someone who’s into obscure German philosophy. But I think it’s much easier to extend the hand to somebody who has a blog and you’re like, Wow, like, I mean, they don’t know everything, but you know this this person, they’re a student or whatever, or they’re just a random individual who really cares about this, like they’re on to something. Let’s hope so. I think that’s an easier way to get a foot in the door to show your curiosity and show what you can do on your own. And good hiring managers should be able to say if they can do this on their own. Imagine what they’ll do with our tools and our mentors, right?

Eric Trexler:
And when we’re mentoring them and working with them. So one of the pieces of advice then is get creative, get out there. But also when you look for that first or second job, find a good mentor, find somebody who can teach you because it is an apprenticeship model. I would argue with that. The only difference I would say is you can look at things like maybe DHS, but definitely NSA, Cyber Command, CIA in the States, GCHQ in the UK. You know, I’m sure the Iranians have a have a good training program to over there and the offensive work. Does in my experience, anyway, it does make good defensive people like that’s probably the most structured training program. You’re not going to go to a college necessary and B and figure this stuff out overnight. But if you’re doing the offensive stuff, you get to think like the adversary and then can defend somewhat against them.

Juan Andres Guerrero‑Saade:
Yeah, I think that’s an interesting argument for folks to consider going the government route. I mean, obviously great to be able to serve your country. And to be honest, even though you’re going to be underpaid, you are going to get opportunities to do things. You’re never going to be able to do anywhere else, right? I can’t I can’t hire you and say, Hey, go pop those command and control servers. Let me know what you find. So there’s some there’s definitely something to be said for that. I think from the industry we can. I think we have to admit that, for example, Unit Eighty two hundred has figured out how to churn out amazing talent they are on to. Something is real, Rachel. Yeah. I mean, there the rest of us are not on to. I mean, they just churn out a massive amount of great people. We should probably ask them how to set up a talent pipeline and

Eric Trexler:
Look at the flourishing cybersecurity industry in Israel. I believe yes, much due in part to the work that’s done over there.

Juan Andres Guerrero‑Saade:
Mm hmm. So I mean, there’s something to be said for there is a way to do this. I think we’re being, you know, maybe we’re being failed by the rigidity of the academic space not to set up better programs for it. But in any case, this is also a space where knowledge isn’t obscure. You can find most of the great tutorials for learning how to reverse and debug are freely available online. Back from the late nineties, early two thousands when people were just trying to crack software because they lived in Eastern Europe and they couldn’t buy it. Most of the stuff you need is freely available. No starch press does sales on their books basically every month. And if you are a starving artist and you really can’t pick that up, you could probably steal them online. Forgive me, Bill Pollock, but I’m saying you can get your start. You can do it. It’s it’s more about dedication, and I think that’s something that we really shouldn’t underestimate, even for people that already have their foot in the door. If you are purely an intel analyst, find the time to learn the technical side of the house. The more that you need to depend on other people for your technical end, the more you’re missing parts of the picture. So not to not to preach against Work-Life Balance or whatever, but this is your passion. There’s a lot of room to grow.

Rachael Lyon:

Eric Trexler:
Great advice and even reach out to famous published researchers. I’m betting nine times out of 10 they’re going to if somebody reaches out and says, Hey, I have a question about the industry, I’m betting people answer.

Juan Andres Guerrero‑Saade:
Yeah, absolutely. I mean, there’s a reason why, you know, DMs are open for a lot of folks, and Twitter has given everyone a voice for better or worse. And you can you can reach out to amazing individuals and half the time they’ll answer. So yeah, might as well try.

Eric Trexler:
And fascinating, Rachel.

Rachael Lyon:
I know

Eric Trexler:
Know to end the week.

Rachael Lyon:
Stunned silence.

Eric Trexler:
That you didn’t have this on the set with all my children.

Rachael Lyon:
No, no, it was quite different.

It was given her such a hard time about her.

Eric Trexler:
Oh my god, I love it. I’m so are you kidding, Jags? I am so impressed.

Juan Andres Guerrero‑Saade:
It’s a diversity of skills. It’s a wide range of skills.

Rachael Lyon:
Exactly, exactly. And cyber takes all comers. I love that

Eric Trexler:
Rachel is amazing at what she does. So a couple of years ago, we were at RSA and we did a show. Rachel was going to listen in one of the podcasts and. We surprise her, I was with our CTO at the time we were doing a show about RSA, and Rachel was the featured guest she was supposed to listen in. She had no prep or anything. We’re huddle around a little Blue Yeti mic in a room right off of Moscone Center. Yes, and we put Rachel on the spot and she was freaking amazing. I don’t know the podcast episode. Yeah, but I believe, yeah, if you’re in marketing, if you’re in PR and you’re running shows and things, go listen to it because she talks about what it takes to put the show on what’s right? Anyway, she was a pro day one. I mean, I mean, she had no idea she came in live about, I don’t know, Rachel, 30 seconds into the show, we announce you as the featured guest and she just rolled with it, and that’s her acting experience. She’s a pro.

Rachael Lyon:
Well, it helps when you have good people to talk to. Like today. I mean, it’s, you know, fascinating people with all these amazing stories. I mean, it makes it really easy to have a really good conversation.

Juan Andres Guerrero‑Saade:
Thank you. Thank you for the opportunity. I mean, honestly, I don’t get to nerd out about these things often enough. You know, you’re running looking at the next case, but there are so many great stories in this space and

Eric Trexler:
There are great stories that we can’t wait to hear. What do you think is next? Are you working on anything next?

Juan Andres Guerrero‑Saade:
Oh, all kinds of things. So I mean, we try to. There is a bit of a competitive streak and we all kind of try to impress each other and come out with new things. So I’m actually

Eric Trexler:
Challenge out there now, lay the gauntlet down for everybody in the business.

Juan Andres Guerrero‑Saade:
Well, so I’m working on some, some special techniques to analyze go malware. There’s there’s some, really. I like to do something that we’ve nicknamed cyber paleontology like. I like to look back at stuff we tend to. The industry tends to be very now focused, you know, Monster of the week. Oh my God, SolarWinds, oh my God, say, oh my like every week is a different thing. And the truth is that we don’t have the resources to ever fully analyze any of these incidents. So I like to, you know me and review a few other folks really like to take old incidents and say, Well, what? What can we understand now, right in the vein of Moonlight Maze? What do we understand now? So I’m working on a really old school operation now, and honestly, I’m just waiting for the in-person conferences to really come back so that I can have a good venue to be like, All right, like, this is this thing I’m working on now.

Eric Trexler:
You’re hitting my area of expertise. Guess what? They’re shutting down. We just had another government shut conference shut down today. I don’t think you’re going to be back in person until probably second half of twenty two at this point.

Rachael Lyon:
January, January, January,

Eric Trexler:
Maybe April. I’m betting I put a dollar down. No, no January. But I don’t. I don’t want to bust your bubble. I just want to be honest with you. We’re seeing them cancel.

Juan Andres Guerrero‑Saade:
I’m selling myself the dream just because, you know my inner attention whore, you know? Yeah, they can’t take it. I need to get on stage and show

Eric Trexler:
I’ll come back on the podcast.

Juan Andres Guerrero‑Saade:
I love to do it. Yeah, please.

Rachael Lyon:
Yeah, we’d love to have you. It’s amazing.

Juan Andres Guerrero‑Saade:
We’ll have a lot more stories to cover.

Eric Trexler:
Ok. Well, Rachel, it’s Friday evening this time we’re recording, is that a wrap?

Rachael Lyon:
I think that’s a wrap. Yes.

Eric Trexler:
Take us home.

Rachael Lyon:
All right. Well, everyone, thanks again for joining us for this week’s podcast with Juan Andres Guerrero Sodhi. Well, there you go. Close. Yes, that’s perfect. Better known as Jag’s, but what an amazing conversation. Thank you so, so much for joining us today. We can’t thank you enough.

Juan Andres Guerrero‑Saade:
Thank you both. This is fantastic. I appreciate it.

Eric Trexler:
This was outstanding.

Rachael Lyon:
Yes, I hate. I don’t even want to ruin it. But you have to put the plug in, smash the subscription button, get a fresh episode every single week in your email. And it’s like Eric and I are just, you know, showing up at your doorstep and and having a nice conversation. How lovely is that? So for that laugh? So until next time, everyone stay safe.

Thanks for joining us on the To the Point cybersecurity podcast brought to you by Force Point. For more information and show notes from today’s episode, please visit W four point Gov podcast. And don’t forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

(function(s,o,n,i,x) {
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//”,”//”);

SMS About Bank Fraud as a Pretext for Voice Phishing

Most of us have probably heard the term “smishing” — which is a portmanteau for traditional phishing scams sent through SMS text messages. Smishing messages usually include a link to a site that spoofs a popular bank and tries to siphon personal information. But increasingly, phishers are turning to a hybrid form of smishing — blasting out linkless text messages about suspicious bank transfers as a pretext for immediately calling and scamming anyone who responds via text.

KrebsOnSecurity recently heard from a reader who said his daughter received an SMS that said it was from her bank, and inquired whether she’d authorized a $5,000 payment from her account. The message said she should reply “Yes” or “No,” or 1 to decline future fraud alerts.

Since this seemed like a reasonable and simple request — and she indeed had an account at the bank in question — she responded, “NO.”

Seconds later, her mobile phone rang.

“When she replied ‘no,’ someone called immediately, and the caller ID said ‘JP Morgan Chase’,” reader Kris Stevens told KrebsOnSecurity. “The person on the phone said they were from the fraud department and they needed to help her secure her account but needed information from her to make sure they were talking to the account owner and not the scammer.”

Thankfully, Stevens said his daughter had honored the gold rule regarding incoming phone calls about fraud: When In Doubt, Hang up, Look up, and Call Back.

“She knows the drill so she hung up and called Chase, who confirmed they had not called her,” he said. “What was different about this was it was all very smooth. No foreign accents, the pairing of the call with the text message, and the fact that she does have a Chase account.”

The remarkable aspect of these phone-based phishing scams is typically the attackers never even try to log in to the victim’s bank account. The entirety of the scam takes place over the phone.

We don’t know what the fraudsters behind this clever hybrid SMS/voice phishing scam intended to do with the information they might have coaxed from Stevens’ daughter. But in previous stories and reporting on voice phishing schemes, the fraudsters used the phished information to set up new financial accounts in the victim’s name, which they then used to receive and forward large wire transfers of stolen funds.

Even many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In 2020 I told the story of “Mitch” — the tech-savvy Silicon Valley executive who got voice phished after he thought he’d turned the tables on the scammers.

Unlike Stevens’ daughter, Mitch didn’t hang up with the suspected scammers. Rather, he put them on hold. Then Mitch called his bank on the other line and asked if their customer support people were in fact engaged in a separate conversation with him over the phone.

The bank replied that they were indeed speaking to the same customer on a different line at that very moment. Feeling better, Mitch got back on the line with the scammers. What Mitch couldn’t have known at that point was that a member of the fraudster’s team simultaneously was impersonating him on the phone with the bank’s customer service people.

So don’t be Mitch. Don’t try to outsmart the crooks. Just remember this anti-fraud mantra, and maybe repeat it a few times in front of your friends and family: When in doubt, hang up, look up, and call back. If you believe the call might be legitimate, look up the number of the organization supposedly calling you, and call them back.

And I suppose the same time-honored advice about not replying to spam email goes doubly for unsolicited text messages: When in doubt, it’s best not to respond.

Create A Home Spa For Kids

As parents, you can offer your kid a safe and calm experience in which they can pamper themselves. Kids are very sensitive to the environment around them. If they are surrounded by love, tenderness, and with no noise around them, they tend to blossom immediately.

Home spas are perfect for soothing babies as well as older children. It allows them to explore new territories and enhance their creativity and imagination, giving them a sense of balance between mind, body, and spirit.

You can create a relaxing atmosphere for your kids that will have them wanting to take a bath every night! Have fun and try some of these ideas to make a home spa for kids!

How To Start?

The first thing you need to do is find a place in your house (or backyard) where everyone will feel comfortable and relaxed. This place should be spacious enough to fit a table, two chairs, and some plants. If your bathroom is big enough, it will also do: since it’s not only roomy but also watertight!

Next, it’s time to decorate the room for the home spa for kids! Decorate the room with glowing candles placed in safe holders out of reach from little hands or children under three years old. You can buy special candleholders with prongs sticking straight up, so it won’t spill everywhere if they knock it over.

The same goes for potpourri – use a dish that can’t be easily knocked over and mix it with water, so it stays fresh longer. For music, be creative and pick tunes that will calm your child’s nerves after a long day of school and playing.

What will you need?

Here is what you need for creating a home spa for kids:

  • Bathing supplies: You’ll need to get some special accessories for your bathroom that make kids want to scrub up.
    • First, buy some fun flavored bubble baths that your child can choose from.
    • Next, get bath paints for them to doodle with while in the tub.
    • Get a special bathtub sponge that is gentle on the skin. Add bubbles to create a fantastic foam experience.
    • Use organic products that won’t dry out their skin. Look for items that are formulated for children’s delicate skins.
  • Choose plush cotton towels and robes with hoods to keep them cozy after stepping out of the tub. Use organic products that won’t dry out their skin. Keep towels and robes together in baskets by the door, so they are easy to grab when you need them.
  • Haircare products:
    • You’ll need to purchase some extra shampoos and conditioners for your little ones.
    • You’ll also need a detangler and a leave-in conditioner for those wayward curls that seem to have a mind of their own.
  • A comfortable chair for kids or kids’ stool: You need to sit your child comfortably while they’re getting pampered!
  • Some aromatherapy oils to the water for a relaxing experience.
  • Bath toys: Kids love fun bath toys that let them play with bubbles. Think about adding some glow-in-the-dark or light-up floating bathtub toys for a more exciting experience. You can even include some floating rubber ducks!
  • Last but not least, purchase child-safe nail polish so you can paint their nails before bedtime. If your child is afraid of the dark, these sparkly colors will look beautiful under the moonlight.

Perfect Home Spa Routine

Now it’s time to get your child into a healthy home spa routine.

1. Relaxing bath

Fill up the tub with warm water and add aromatherapy oils to create a fantastic experience – lavender is very calming for children. Add some bath paints so they can doodle on the tub while they’re taking a bath. Allow them to play with their favorite toys in the water. Finally, when you’re all done with the washing up, help them wrap themselves in plush cotton towels and put on fresh pajamas.

2. Haircare

Wash their hair with a special shampoo and conditioner formulated for kids. Apply some leave-in conditioner and detangler, and then brush their hair with a special children’s brush. After that, you can even style their hair if they want it fixed in braids, ponytails, or piggy tails!

3. Manicure

You can create an amazing spa experience for your child with a few simple steps.

First, start by applying some hand cream so they won’t get dry skin on their hands. Then apply nail polish to their nails – colors can vary depending on your child’s preferences! Finally, use some cotton swabs dipped in nail polish remover to clean around the cuticles of each fingernail.

4. Time for a pedicure

During pedicure time, you can use the same steps, but make sure to add some special bath salts to get rid of calluses and deodorize your child’s feet. Finish with a foot cream applied directly onto their soles.

You can also go a step further and prepare your kid’s personal foot spa kit! You’ll need a pair of children’s skin-friendly foot socks, a small bowl with warm water, a bottle of baby oil, and a handful of coarse salt with eucalyptus oil.

You can even invest in kids’ pedicure chair – talk about authentic saloon experience! Happybuy Hydraulic Lift Adjustable Spa Pedicure Chair will be perfect for this task.

The Happybuy pedicure chair (Sponsored) is made of high-quality PU leather, so your kid will feel like they’re sitting in an authentic salon chair. It tilts, swivels, and adjusts to different positions (even flat!), which means you’ll be able to sit on this chair even if you’re taller than 230 cm / 7 ft. You can also adjust the backrest into multiple positions that are good for different body types or even to catch a quick nap!

Once you have everything ready, soak your kids’ feet in the warm water for about 10 minutes. Then add a few drops of eucalyptus oil and massage their feet with oil to soften dry skin. Finally, wrap their feet in the foot sock and sprinkle some salt around it. After 10 minutes, you’ll get to remove the socks and scrape off any dead skin with a pumice stone – talk about at-home pedicure!

5. Something extra

Every now and then, let each child pick one particular item from the spa menu. They can choose a fruit platter with all their favorite treats, or they can sleep in a sleeping bag filled with fresh lavender for ultimate relaxation!
Your home spa will be a fantastic experience that will teach them how to relax after spending long days outdoors. So don’t forget to splurge on some child-friendly treatments every now and then!

Get pampered!

And there you have it! Your kid’s home spa will be the envy of all of your child’s friends. If they invite their friends over to use it, make sure that you are present for all of their baths so you can monitor how much time they spend in there and what kind of antics take place while no one’s looking. Just remember to have fun with it and enjoy those quiet moments of pampering your child after a long day from school!

The post Create A Home Spa For Kids appeared first on Comfy Bummy.

Microsoft Patch Tuesday, November 2021 Edition

Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today — potentially giving adversaries a head start in figuring out how to exploit them.

Among the zero-day bugs is CVE-2021-42292, a “security feature bypass” problem with Microsoft Excel versions 2013-2021 that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren’t available yet).

Microsoft’s revised, more sparse security advisories don’t offer much detail on what exactly is being bypassed in Excel with this flaw. But Dustin Childs over at Trend Micro’s Zero Day Initiative says the vulnerability is likely due to loading code that should be limited by a user prompt — such as a warning about external content or scripts — but for whatever reason that prompt does not appear, thus bypassing the security feature.

The other critical flaw patched today that’s already being exploited in the wild is CVE-2021-42321, yet another zero-day in Microsoft Exchange Server. You may recall that earlier this year a majority of the world’s organizations running Microsoft Exchange Servers were hit with four zero-day attacks that let thieves install backdoors and siphon email.

As Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target’s system. Microsoft has published a blog post/FAQ about the Exchange zero-day here.

Two of the vulnerabilities that were disclosed prior to today’s patches are CVE-2021-38631 and CVE-2021-41371. Both involve weaknesses in Microsoft’s Remote Desktop Protocol (RDP, Windows’ built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.

“Given the interest that cybercriminals — especially ransomware initial access brokers — have in RDP, it is likely that it will be exploited at some point,” said Allan Liska, senior security architect at Recorded Future.

Liska notes this month’s patch batch also brings us CVE-2021-38666, which is a Remote Code Execution vulnerability in the Windows RDP Client.

“This is a serious vulnerability, labeled critical by Microsoft,” Liska added. “In its Exploitability Assessment section Microsoft has labelled this vulnerability ‘Exploitation More Likely.’ This vulnerability affects Windows 7 – 11 and Windows Server 2008 – 2019 and should be a high priority for patching.”

For most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It’s a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.

But please do not neglect to backup your important files — before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there’s a better-than-even  chance other readers have experienced the same and may offer useful tips or suggestions.

Further reading:

SANS Internet Storm Center has a rundown on each of the 55 patches released today, indexed by exploitability and severity, with links to each advisory.

Revolutionize Incident Response and Endpoint Management with Remote Script Orchestration

A successful cyber attack can compromise your data and cripple business operations within mere hours or even minutes. Therefore, the speed with which your organization can contain and recover from an attack is critical to limit business disruption and reduce financial costs. Delays during investigation and remediation leave organizations highly vulnerable to security risks.

SentinelOne Remote Script Orchestration (RSO) allows enterprises to investigate threats on multiple endpoints across the organization remotely and enables them to easily manage their entire fleet.

It lets incident responders run scripts to collect data and remotely respond to events on endpoints. They can collect forensic artifacts, execute complex scripts and commands, install and uninstall IR tools and more on hundreds of endpoints simultaneously—Windows, Mac, and Linux—via the UI or API, to simplify forensic data collection and accelerate triage.

How Remote Script Orchestration Works

Remote Script Orchestration includes a Script Library from SentinelOne with scripts for all platforms. Customers can run remote scripts via multiple points from the console. Regardless of whether a single endpoint is compromised or multiple endpoints are associated with a threat or a group of machines that need to be investigated, RSO is available from different entry points to serve the user’s diverse needs.

  • Script Library

  • Alerts

  • Sentinels

How Can SentinelOne RSO Help Enterprises?

  1. Enable Power Forensics
    When it comes to cyberattacks, time is crucial. Instantaneous access to an infected machine is valuable but not enough. No SOC analyst wants or has the time to access hundreds of infected machines, one by one, to collect all relevant artifacts and conduct an investigation.

    With RSO, SOC analysts can run scripts on hundreds of endpoints simultaneously to collect anything needed for an investigation with a click of a button. RSO enables Incident Responder teams to jump start investigations with security event logs, running services, scheduled tasks, network connections, connected removable media, memory analysis, and more. New scripts can be easily created and added to the library to collect whatever is needed from remote machines.

  2. Rapid Attack Containment
    Using RSO, IR teams can quickly identify and investigate the chain of events and immediately respond to identified attacks. In addition to the existing response actions available from the Singularity platform, IR teams can use RSO to take immediate response actions to promptly contain threats in real-time—terminate processes, remove files, delete directories, disable local users, and more.
  3. Simplify Vulnerability and Configuration Management
    Customers don’t need to manage vulnerabilities and configurations by deploying and managing a range of tools. Security teams can use RSO to rapidly identify vulnerabilities and misconfigurations across their entire fleet. They can harden endpoints by deploying packages using custom scripts and thus reduce the attack surface.

    RSO lets customers unify management activities within a single agent and console to perform assessments, remediation actions reporting, and audit preparation from one platform.

  4. Automate Response Capabilities
    The timing and effectiveness of your response are critical when your organization is under attack. RSO integration with Storyline Active ResponseTM enables customers to take automated response actions. It allows enterprises to incorporate custom detection logic and immediately push it out to their entire fleet, to quickly remediate threats. Automated response workflow dramatically reduces the time to remediation and the impact of attacks.

Designed and built in close partnership with some of the world’s leading incident response providers, RSO delivers on SentinelOne’s commitment to a holistic approach to cybersecurity, arming security analysts with the power of technology — to do more for what works for them.  RSO is designed with a holistic approach and flexibility to be used by people with different skill sets.

  • Non technical users can use the existing out of the box script library, which contains everything needed for investigation. With a few simple clicks all the needed data is at their hands.
  • Users who are moderately technical can write simple scripts or modify existing scripts to customize them for whatever they need .There is no need to write a script from scratch.
  • Highly technical users can write their own scripts and upload it to the library to be shared and used by other employees.

Putting RSO to Work In Your Organization

SentinelOne RSO gives security operations teams instantaneous access to thousands of machines. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real-time. SentinelOne RSO can be tailored to suit your organization to fit a variety of use cases such as:

  • Zero day threat detection
    RSO can be used to quickly determine if your organization is vulnerable to an attack or identify vulnerable endpoints affected by the latest zero day threats. For example, incident responders could quickly and easily run the published scripts to determine if the enterprise was impacted by that vulnerability. This gives you the power to take immediate response actions to promptly contain identified threats in real-time.

  • Customize and build optimal IR tools for intel gathering
    Different teams often have different needs and requirements to collect various forensic artifacts for deeper investigation. SentinelOne RSO has granular capabilities that can be customized to let responders use pre-built scripts or use readily available scripts and tools that automate the gathering of common information like Autoruns, File Hashes, and ARP Tables.

SentinelOne RSO is a powerful tool that opens endless possibilities for enterprises. Responders can run scripts at scale to collect data and respond to events on endpoints, run scripts directly from the console or via command-line interface to automate response actions; basically, if you can think about it and script it, it is possible.


Legacy tools and endpoint products still require people to manually execute commands on each machine across the network individually. The sheer amount of data, devices, and workloads in today’s enterprise environments makes IT and security operations simply too big, too vast, and too fast for humans alone to deal with.

SentinelOne RSO enables security and IT teams to remotely execute customizable remediation and response actions on the entire estate across every operating system, enabling rapid containment. SentinelOne RSO is the only remote orchestration solution on the market that, in the same platform as an industry-leading EPP, EDR, and XDR, supports macOS, Windows, and Linux environments.

If you would like to learn more about RSO and the SentinelOne XDR platform, read the RSO Solution Brief, contact us for more information, or request a free demo.

Why It’s A Bad Idea To Buy A Used Car Seat

Here at ComfyBummy, we fight every day to keep your kids safe and comfortable.

Buying a used car seat is a bad idea for many reasons. Of course, the most obvious reason is that you don’t know how it was treated and if it has been in an accident, there’s no way of knowing. Secondly, the straps may be worn and not in the proper locking mode. Third, the seat itself may be broken in some way.

Lastly, you can’t tell if the seat has been recalled. If you get caught, the fine is up to $500 per item. In fact, it may be illegal in your state to even sell a used car seat!

If you purchase a new car seat, you know that there are no broken parts and that it hasn’t been in an accident before.

It is also worth mentioning that security features in kids’ car seats improve each year as technology progresses. Your child’s life is too valuable to consider buying a used seat. No matter how good the deal might be, buying a used car seat is never worth it.

Do Car Seats Have Expiration Dates?

Car seats have expiration dates. Most car seat manufacturers say their products should be replaced after 6 years.

When it’s time to replace your child’s car seat, remember that you may need to upgrade to a bigger model when moving from rear-facing to forward-facing and then again when moving into a booster seat.

How to check if car seat’s expiration date?

You can find the expiration date on the back of your car seat. Sometimes, the expiration date is printed on the bottom of the car seat. Some car seats have both.

If you can’t kids’ car seat expiration date, check the user manual or call the manufacturer’s customer service line for information about your specific seat model.

You’ll also want to replace a car seat that’s been involved in a moderate to severe crash. You’ll need a new one, period.

If the car seat was even mildly compromised in an accident or other incident, you risk injuring your child because of faulty materials and straps.

What about a minor crash? Even if there’s no apparent damage to your child’s car seat, you should have it checked out by a technician. For example, what looks like minor damage can mean that the internal parts are compromised. If so, this could lead to injury in the event of an accident.

Do car seat bases expire?

Car seat bases do expire as well. The expiration date of your base is printed on the bottom of the base. It’s usually six years from the date of manufacture.

There are a few things to remember about installing a base:

  • First, it has to be tightly installed using either LATCH or the vehicle’s safety belt.
  • Second, it’s not attached to the seat – so if you have to install the seat without its base for whatever reason, you need to remember how it was initially installed. This is important because some car seats are more easily installed with one method or another depending on the vehicle design.

The Safest Kids’ Car Seats Are Always New

Even paying an extra $200-300 for a new seat is more cost-effective than buying used. When it comes down to purchasing a new or used car seat, the answer is easy: Go with new. It’s not worth saving money at the risk of your child’s safety.

It is important to remember that safety has no price. There are too many risks involved in purchasing a used car seat, and it’s just not worth the risk.

We have prepared the below list of the safest car seats for kids to make it easier for you.

Maxi-Cosi Magellan XP Max All-in-One Convertible Car Seat


The Maxi-Cosi Magellan XP All-in-One is the safest car seat available. Its AirProtect technology uses energy-absorbing foam to distribute impact forces away from your child’s head, neck and chest through the side of the car seat.

We call it “the Mercedes Benz of Car Seats.” This car seat has passed every test, both in the USA and Europe.

It also has easy-to-use LATCH connectors that will save you time when installing by yourself.

Children develop at different rates; therefore, you may modify the torso up or down to optimize side impact protection to your child’s size. ClipQuik’s auto-magnetic chest clip makes it simple to open with one hand but difficult for kids to unbuckle.

The Magellan XP Max all-in-one Car Seat was created to offer ultimate safety and comfort in mind.

Britax Advocate ClickTight Anti-Rebound Bar Convertible Car Seat

ASIN: B07962ZKK8

The Britax Advocate has a SafeCell Impact Protection base that absorbs crash forces with energy-absorbing materials.

The headrest is adjustable both vertically and laterally to ensure the best fit for your child. The deep side walls are lined with energy-absorbing EPP foam, which limits forces through your child’s body in the event of a crash.

The Advocate is straightforward to install with the ClickTight technology, which ensures that the seat is installed tightly and correctly every time. The harness height can be easily adjusted without re-threading.

Britax made the Advocate Clicktight convertible car seat because they understand how hard it is to leave your child in someone else’s care. They wanted to make sure that your child is as safe as possible, even in an emergency.

That’s why they’ve created the safest car seat available on the market today.

Chicco Fit4 Adapt 4-in-1 Convertible Car Seat

ASIN: B09311PL54

The Fit4 is a safe car seat that will grow with your child. It has 4-in-1 design features: infant, rear-facing travel system, forward-facing, and booster.

Your child can be secured using the 5 point harness until they exceed its weight limit (40 pounds). Then, you can utilize the belt-positioning clip to switch to booster mode easily.

The Fit4 adapt convertible car seat comes standard with the RideRight bubble-level indicators, which work to ensure that your child is sitting in the proper position as you adjust and tighten the harness. The indicator makes it easier for parents who don’t feel confident assessing this themselves.

The Latch connectors make it easy to install the car seat. The Fit4 adapt features the one-pull tightener, enabling you to quickly tighten the harness without re-threading it through complicated back panels.

Chicco made this car seat with all different types of parents in mind. Whether grandparents are watching the kids, they’re helping out babysitters, or they’re just dealing with a busy schedule, this car seat will make it easier for you to go about your daily routine.

Graco Extend2Fit 3-in-1 Car Seat


The Extend2Fit is the only car seat you’ll ever need. It has extra legroom and a longer seat bottom, making it easy for your child to sit comfortably throughout their entire childhood.

The main highlights of this car seat are the 10-position extendable headrest, 4-position extension panel, and 6-position recline. Thanks to those, you can extend the car seat to provide additional protection as your child grows.

There’s also a removable infant body support that offers extra comfort for smaller children.

The Graco Extend2Fit has an InRight LATCH system, which makes installing a cinch. There are also 2 hideaway cup holders, which provide a place to store drinks and snacks during long trips.

Summary – What To Look For In A Car Seat For Kids?

The protection of your children is the most crucial aspect of car seat shopping. Some car seats are safer than others, which means they absorb more impact in the event of an accident.

It’s also essential to consider ease of use and comfort when picking out a new car seat. You want something that will make it easier for you to go about your daily routine.

Many car seats are 3 in 1, which means they can be used for more than one growth stage. These types of car seats can grow with your kids, so you don’t have to purchase multiple seats throughout the years.

Some convertible car seats also provide extra head and neck support for young children. This ensures that their head doesn’t wobble around during a car ride.

Most importantly, make sure you do your research before purchasing any car seat. You can check out reviews online or ask friends and family for advice before making a big purchase.

The post Why It’s A Bad Idea To Buy A Used Car Seat appeared first on Comfy Bummy.

REvil Ransom Arrest, $6M Seizure, and $10M Reward

The U.S. Department of Justice today announced the arrest of Ukrainian man accused of deploying ransomware on behalf of the REvil ransomware gang, a Russian-speaking cybercriminal collective that has extorted hundreds of millions from victim organizations. The DOJ also said it had seized $6.1 million in cryptocurrency sent to another REvil affiliate, and that the U.S. Department of State is now offering up to $10 million for the name or location any key REvil leaders, and up to $5 million for information on REvil affiliates.

If it sounds unlikely that a normal Internet user could make millions of dollars unmasking the identities of REvil gang members, take heart and consider that the two men indicted as part this law enforcement action do not appear to have done much to separate their cybercriminal identities from their real-life selves.

Exhibit #1: Yaroslav Vasinskyi, the 22-year-old Ukrainian national accused of being REvil Affiliate #22. Vasinskyi was arrested Oct. 8 in Poland, which maintains an extradition treaty with the United States. Prosecutors say Vasinskyi was involved in a number of REvil ransomware attacks, including the July 2021 attack against Kaseya, Miami-based company whose products help system administrators manage large networks remotely.

Yaroslav Vasinksyi’s Vkontakte profile reads “If they tell you nasty things about me, believe every word.”

According to his indictment (PDF), Vasinskyi used a variety of hacker handles, including “Profcomserv” — the nickname behind an online service that floods phone numbers with junk calls for a fee. Prosecutors say Vasinskyi also used the monikers  “Yarik45,” and “Yaroslav2468.”

These last two nicknames correspond to accounts on several top cybercrime forums way back in 2013, where a user named “Yaroslav2468” registered using the email address

That email address was used to register an account at Vkontakte (the Russian version of Facebook/Meta) under the profile name of “Yaroslav ‘sell the blood of css’ Vasinskyi.” Vasinskyi’s Vkontakte profile says his current city as of Oct. 3 was Lublin, Poland. Perhaps tauntingly, Vasinskyi’s profile page also lists the FBI’s 1-800 tip line as his contact phone number. He’s now in custody in Poland, awaiting extradition to the United States.

Exhibit #2: Yevgeniy Igorevich Polyanin, the 28-year-old Russian national who is alleged to be REvil Affiliate #23. The DOJ said it seized $6.1 million in funds traceable to alleged ransom payments received by Polyanin, and that the defendant had been involved in REvil ransomware attacks on multiple U.S. victim organizations.

The FBI’s wanted poster for Polyanin.

Polyanin’s indictment (PDF) says he also favored numerous hacker handles, including LK4D4, Damnating, Damn2life, Noolleds, and Antunpitre. Some of these nicknames go back more than a decade on Russian cybercrime forums, many of which have been hacked and relieved of their user databases over the years.

Among those was carder[.]su, and that forum’s database says a user by the name “Damnating” registered with the forum in 2008 using the email address Sure enough, there is a Vkontakte profile tied to that email address under the name “Yevgeniy ‘damn’ Polyanin” from Barnaul, a city in the southern Siberian region of Russia.

The apparent lack of any real operational security by either of the accused here is so common that it is hardly remarkable. As exhibited by countless investigations in my Breadcrumbs story series, I have found that if a cybercriminal is active on multiple forums over more than 10 years, it is extremely likely that person has made multiple mistakes that make it relatively easy to connect his forum persona to his real-life identity.

As I explained earlier this year in The Wages of Password Re-use: Your Money or Your Life, it’s possible in many cases to make that connection thanks to two factors. The biggest is password re-use by cybercriminals (yes, crooks are lazy, too). The other is that cybercriminal forums, services, etc. get hacked just about as much as everyone else on the Internet, and when they do their user databases can reveal some very valuable secrets and connections.

In conjunction with today’s REvil action, the U.S. Department of State said it was offering a reward of up to $10 million for information leading to the identification or location of any individual holding a key leadership position in the REvil ransomware group. The department said it was also offering a reward of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a REvil ransomware incident.

I really like this bounty offer and I hope we see more just like it for other ransomware groups. Because as we can see from the prosecutions of both Polyanin and Vasinskyi a lot of these guys simply aren’t too hard to find. Let the games begin.

The Good, the Bad and the Ugly in Cybersecurity – Week 45

The Good

It’s been a tough week for those in the world of cyber espionage, and while we do recognize that there are spies that work for us as well as those that work against us, this week saw two stories break that will likely bring glad tidings to most.

First up, President Biden continued his administration’s welcome war on cyber bad guys with a ban on four different “spyware” companies, namely Russia’s Positive Technologies, Singapore’s Computer Security Initiative Consultancy and two Israeli companies, Candiru and NSO Group (distributor of the notorious Pegasus spyware). The four were all adjudged by the Biden administration to be trading in hacking tools used to “maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers” in the service of authoritarian repression that “threatens the rules-based international order”.

Meanwhile, Ukraine has outed members of an APT operation run by Russia’s FSB unit, more widely known as the Gamaredon group.

The details are fascinating and well worth a read, but the upshot is that Ukraine’s Security Service (SSU) were able to intercept conversations among FSB hackers and obtain data on thousands of Gamaredon C&C servers. Along with publishing a detailed report on the group’s activities they also ‘outed’ five members of the FSB as being members of the cyber espionage gang. While the TTPs used by Gamaredon are described as ‘not particularly sophisticated’, they have nevertheless been remarkably successful and are worthy of study by defenders in enterprise security teams.

The Bad

While we’ve seen welcome pressure put on DarkSide/BlackMatter ransomware operators this week, nobody is claiming victory just yet in the war against ransomware, particularly not the Las Vegas Cancer Center (LVCC). Back in September the LVCC was hit by a ransomware attack, and this week it turns out that PII belonging to current and former patients may also have been stolen.

The Center said on Monday that encrypted data had been accessed by attackers, and this may have included Personally Identifiable Information (PII) such as names and addresses of patients, date of birth, SSNs, medical records and insurance details.

LVCC were unable to confirm exactly which patient records may have been accessed. While the Center believes that the proprietary format used to store the data may have made it unreadable to hackers, unless it used some kind of strong encryption there’s still a possibility that hackers skilled in reverse engineering techniques would be able to retrieve details even from a proprietary file format.

LVCC has reportedly stated that it “does not believe that any data was copied or transferred from its server, and has received no ransom demand”. Even so, due to the sensitivity of the PII involved, all LVCC patients are advised to monitor credit card activity and be on alert for phishing attempts.

The Ugly

And after the patients comes the medical staff. It seems like there’s no end to the vulnerabilities faced by our healthcare infrastructure these days. This week a Medical School was found to have exposed 157GB of data containing around 200,000 files carrying, among other things, the PII of thousands of medical students, staff and course applicants.

Two years ago to the month, we reported on how researchers from vpnMentor uncovered an unsecured AWS bucket hosting tens of thousands of videos uploaded by users of the Veed platform. Alas, cybersecurity history continues to repeat itself as this week the same researchers reported that the LA-based Phlebotomy Training Specialists had done the exact same thing: an unsecured AWS bucket containing students’ ID cards, driving license details, home addresses, phone numbers, DoBs and professional and educational resumés was left publicly accessible for anyone to view.

The researchers estimate that between 27000 and 50000 individuals are impacted by the leaked data, which contained records from September 2020 to the present day. Affected individuals could be at risk of fraud, identity theft, and phishing attacks. Despite attempts to contact the company, vpnMentor says they have still received no response. Anyone who thinks they may be impacted by the data leak is advised to contact Phlebotomy Training Specialists directly.

‘Tis the Season for the Wayward Package Phish

The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.

One of dozens of FedEx-themed phishing sites currently being advertised via SMS spam.

Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.

“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”

Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot to the right — returns-fedex[.]com.

Blocking non-mobile users from visiting the domain can help minimize scrutiny of the site from non-potential victims, such as security researchers, and thus potentially keep the scam site online longer.

Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” after providing that information are asked to add a payment card to cover the $2.20 “redelivery fee.”

After clicking “Pay Now,” the visitor is prompted to verify their identity by providing their Social Security number, driver’s license number, email address and email password. Scrolling down on the page revealed more than a half dozen working links to real resources online, including the company’s security and privacy policies.

While every fiber of my being hopes that most people would freak out at this page and go away, scams like these would hardly exist if they didn’t work at least some of the time.

After clicking “Verify,” anyone anxious enough over a wayward package to provide all that information is redirected to the real FedEx at

It appears that sometime in the past 12 hours, the domain that gets loaded when one clicks the link in the SMS phishing message — returns-fedex[.]com — stopped resolving. But I doubt we’ve seen the last of these phishers.

The true Internet address of the link included in the FedEx SMS phishing campaign is hidden behind content distribution network Cloudflare, but a review of its domain name system (DNS) records shows it resolves to 23.92.29[.]42. There are currently more than three dozen other newly-registered FedEx phishing domains tied to that address, all with a similar naming convention, e.g., f001bfedeex[.]com, g001bfedeex[.]com, and so on.

Now is a great time to remind family and friends about the best advice to sidestep phishing scams: Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.