FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green


Maldoc, PowerShell & BITS, (Mon, Sep 30th)

The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.
  • September 30th 2019 at 18:36
  • β†—

Encrypted Maldoc, Wrong Password, (Sun, Sep 29th)

Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.
  • September 29th 2019 at 21:52
  • β†—

New Scans for Polycom Autoconfiguration Files, (Fri, Sep 27th)

One of my honeypots detected aΒ nice scanΒ yesterday. A bot was looking for Polycom master provisioning files. SuchΒ files areΒ called by default '000000000000.cfg’ and containΒ interesting information to perform provisioning ofΒ VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-basedΒ configuration, it will pull the default file.
  • September 27th 2019 at 07:13
  • β†—

Vulnerability on specific Cisco Industrial / Grid router models, (Thu, Sep 26th)

Our reader Marc reports a vulnerability posted by Cisco yesterday: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
  • September 26th 2019 at 17:07
  • β†—

Mining MAC Address and OUI Information, (Thu, Sep 26th)

So often when we're working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
  • September 26th 2019 at 16:29
  • β†—

Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs, (Tue, Sep 24th)

I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers,Β sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain 'remotewebaccess.com'. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:
  • September 24th 2019 at 07:45
  • β†—

YARA XOR Strings: an Update, (Sun, Sep 22nd)

Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
  • September 23rd 2019 at 06:31
  • β†—

Video: Encrypted Sextortion PDFs, (Sun, Sep 22nd)

In this video, I show how to use my PDF tools together with QPDF and Poppler to deal with encrypted PDFs, like the sextortion PDFs that were submitted recently.
  • September 22nd 2019 at 18:14
  • β†—

Blacklisting or Whitelisting in the Right Way, (Thu, Sep 19th)

It's Friday today, I'd like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:
  • September 20th 2019 at 07:41
  • β†—

Agent Tesla Trojan Abusing Corporate Email Accounts, (Thu, Sep 19th)

The trojan 'Agent Tesla'Β is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
  • September 19th 2019 at 06:47
  • β†—
❌