FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Scanning Activity for NVMS-9000 Digital Video Recorder, (Sun, Oct 20th)

Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a "Stack Overflow in Base64 Authorization"[1].
  • October 20th 2019 at 23:35
  • β†—

What Assumptions Are You Making?, (Sat, Oct 19th)

If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. While it is preferable to think that everything is ok, it is much better to validate that assumption regularly.Β 
  • October 19th 2019 at 13:10
  • β†—

Quick Malicious VBS Analysis, (Fri, Oct 18th)

Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This techniqueΒ is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. The link was:
  • October 18th 2019 at 06:25
  • β†—

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.
  • October 17th 2019 at 09:54
  • β†—

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.
  • October 16th 2019 at 22:43
  • β†—

Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)

Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:
  • October 16th 2019 at 09:39
  • β†—

YARA's XOR Modifier, (Mon, Oct 14th)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.
  • October 14th 2019 at 18:21
  • β†—

YARA v3.11.0 released, (Sat, Oct 12th)

A new version of YARA was released: v3.11.0.
  • October 12th 2019 at 21:16
  • β†—

Mining Live Networks for OUI Data Oddness, (Thu, Oct 10th)

My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI.Β  (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
  • October 10th 2019 at 12:40
  • β†—

Microsoft October 2019 Patch Tuesday, (Tue, Oct 8th)

This month we got patches for 59 vulnerabilities total.Β None of them have been previously disclosed nor are being exploited according to Microsoft.Β 
  • October 8th 2019 at 17:58
  • β†—

visNetwork for Network Data, (Sun, Oct 6th)

DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued
  • October 6th 2019 at 00:55
  • β†—

Buffer overflows found in libpcap and tcpdump, (Thu, Oct 3rd)

It is always a bit worrisome when vulnerabilities are found in our favorite tools, but our tools are software like any other software and can have bugs, too. One of the feeds I have in my RSS reader is NIST National Vulnerability Database (NVD) feed. Earlier today, I noticed a bunch of CVEs show up there for libpcap and tcpdump. I hadn't noticed any major announcements of new versions or any automatic updates of those tools on any of my linux boxes, so I decided to head straight to the source, www.tcpdump.org. It turns out, there were new versions of both libpcap (new version is 1.9.1) and tcpdump (version 4.9.3) released on Monday. And, there under latest releases, it notes that this release "addresses a large number of vulnerabilities." It should also be noted, this is the first release in over 2 years. Quite of few of the vulnerabilities have CVEs dating from 2018. In all, this update addresses 33 CVEs. Hopefully, the major linux distros will roll out updates over the next few days or weeks. I haven't seen any indication that folks have tried to craft traffic to exploit any of these vulnerabilities, but that is always a concern when a tool like tcpdump or wireshark or the like has buffer overflows in their protocol parsers/decoders/dissectors. So, if you use tcpdump and/or any libpcap-based tools in your toolbox for network monitoring or network forensics, be on the lookout for updates from your linux distro or tool vendor or just go ahead and build your own copy from source.
  • October 4th 2019 at 05:27
  • β†—

"Lost_Files" Ransomware, (Thu, Oct 3rd)

Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers!Β They don’t reinvent the wheel and re-use code published here and there. I spotted aΒ ransomware which looked like an old one.
  • October 3rd 2019 at 06:06
  • β†—

A recent example of Emotet malspam, (Wed, Oct 2nd)

Shown below is an example of malicious spam (malspam) pushing Emotet malware.Β  It has an attached Word document with macros designed to install Emotet on a vulnerable Windows host.
  • October 2nd 2019 at 02:37
  • β†—

A Quick Look at Some Current Comment Spam, (Tue, Oct 1st)

As pretty much everybody else allowing comments, our site is getting its fair share of spam. Over the years, we implemented a number of countermeasures, so it is always interesting to see what makes it past these countermeasures. There are a number of recurring themes when it comes to spam:
  • October 1st 2019 at 17:25
  • β†—


Maldoc, PowerShell & BITS, (Mon, Sep 30th)

The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.
  • September 30th 2019 at 18:36
  • β†—

Encrypted Maldoc, Wrong Password, (Sun, Sep 29th)

Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.
  • September 29th 2019 at 21:52
  • β†—

New Scans for Polycom Autoconfiguration Files, (Fri, Sep 27th)

One of my honeypots detected aΒ nice scanΒ yesterday. A bot was looking for Polycom master provisioning files. SuchΒ files areΒ called by default '000000000000.cfg’ and containΒ interesting information to perform provisioning ofΒ VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-basedΒ configuration, it will pull the default file.
  • September 27th 2019 at 07:13
  • β†—

Vulnerability on specific Cisco Industrial / Grid router models, (Thu, Sep 26th)

Our reader Marc reports a vulnerability posted by Cisco yesterday: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
  • September 26th 2019 at 17:07
  • β†—

Mining MAC Address and OUI Information, (Thu, Sep 26th)

So often when we're working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
  • September 26th 2019 at 16:29
  • β†—

Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs, (Tue, Sep 24th)

I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers,Β sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain 'remotewebaccess.com'. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:
  • September 24th 2019 at 07:45
  • β†—

YARA XOR Strings: an Update, (Sun, Sep 22nd)

Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
  • September 23rd 2019 at 06:31
  • β†—

Video: Encrypted Sextortion PDFs, (Sun, Sep 22nd)

In this video, I show how to use my PDF tools together with QPDF and Poppler to deal with encrypted PDFs, like the sextortion PDFs that were submitted recently.
  • September 22nd 2019 at 18:14
  • β†—

Blacklisting or Whitelisting in the Right Way, (Thu, Sep 19th)

It's Friday today, I'd like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:
  • September 20th 2019 at 07:41
  • β†—

Agent Tesla Trojan Abusing Corporate Email Accounts, (Thu, Sep 19th)

The trojan 'Agent Tesla'Β is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
  • September 19th 2019 at 06:47
  • β†—
❌