SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Friday, May 30th 2025: Alternate Data Streams; Connectwise Breach; Google Calendar C2;
10 snips
May 30, 2025 Oren Niskin, an industrial control system cybersecurity expert at GuidePoint Security, discusses critical cyber threats. He explains how alternate data streams can be manipulated for defense evasion and shares insights on the recent ConnectWise breach affecting remote access solutions. The conversation shifts to innovative tactics used by APT41, highlighting attacks via Google Calendar. Niskin emphasizes the importance of proactive strategies and deception techniques to enhance security in industrial environments, bridging the gap between IT and OT networks.
AI Snips
Chapters
Transcript
Episode notes
Understanding Alternate Data Streams
- Alternate Data Streams (ADS) can be non-malicious and were originally designed for file annotations.
- ADS abuse can be detected and defended against with the right understanding and tools.
Risks of Remote Access Tools
- Remote access tools like ConnectWise ScreenConnect are often targeted in breaches.
- Attackers use these tools to gain access to victim systems, posing significant risks.
Google Calendar as C2 Channel
- APT41 uses Google Calendar events as covert command and control channels.
- These events blend with normal traffic, making detection difficult without calendar event monitoring.