FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th)

I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild.Β  As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices.Β  So the next thing I did was check my Bluekeep scan results and was presented with this graph.
  • November 5th 2019 at 02:06
  • β†—

rConfig Install Directory Remote Code Execution Vulnerability Exploited, (Mon, Nov 4th)

Last week, Askar from Shells.Systems published two remote code execution (RCE) vulnerabilities in rConfig [1]. The blog post included details about these vulnerabilities and proof of concept code. Both vulnerabilities are trivially exploited by adding shell commands to specific URLs, and one of the vulnerabilities does not require authentication.
  • November 4th 2019 at 04:27
  • β†—

You Too? "Unusual Activity with Double Base64 Encoding", (Sun, Nov 3rd)

Last week, Guy wrote a diary entry "Unusual Activity with Double Base64 Encoding" describing unusual scanning activity he sees on his honeypot.
  • November 3rd 2019 at 22:09
  • β†—

Remark on EML Attachments, (Sat, Nov 2nd)

Jan Kopriva's interesting diary entry "EML attachments in O365 - a recipe for phishing" reminded me of another use of EML files for malicious purposes.
  • November 2nd 2019 at 11:33
  • β†—

Tip: Password Managers and 2FA, (Fri, Nov 1st)

I guess many of you use a password manager.
  • November 1st 2019 at 18:24
  • β†—

EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st)

I’ve recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful.
  • October 31st 2019 at 10:12
  • β†—

Keep an Eye on Remote Access to Mailboxes, (Wed, Oct 30th)

BEC or "Business Email Compromize" is a trending thread for a while. The idea is simple: a corporate mailbox (usually from a C-level member)Β is compromized to send legitimate emails to other employees or partners. That's the very first step of a fraud that could have huge impacts.
  • October 30th 2019 at 09:13
  • β†—

Generating PCAP Files from YAML, (Tue, Oct 29th)

The PCAP[1] file format is everywhere. Many applications generate PCAP files based on information collected on the network. Then, they can be used as evidence, as another data source for investigations and much more. There exist plenty of tools[2] to work with PCAP files. CommonΒ operations are to anonymize captured traffic and replay it against another tool for testing purposes (demos, lab, PoC).
  • October 29th 2019 at 07:00
  • β†—

Using scdbg to Find Shellcode, (Sun, Oct 27th)

I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator.
  • October 28th 2019 at 07:02
  • β†—

Unusual Activity with Double Base64 Encoding, (Sun, Oct 27th)

This week I found this traffic in my honeypot, my first impression, it didn't look that unusual since Base64 encoding is used quite a bit to encode traffic to a web server. Using CyberChef, I decoded the Base64 portion to see what it was all about only to find out it was further encoded in Base64. Decoding the second Base64 revealed two IP address in it.
  • October 27th 2019 at 12:59
  • β†—

Wireshark 3.0.6 Released, (Sun, Oct 27th)

Wireshark version 3.0.6 was released.
  • October 27th 2019 at 09:19
  • β†—

VMware Patch Alert!, (Fri, Oct 25th)

Update Alert!Β  Patches are out for VMware VCSA (information disclosure in backups and restore) https://www.vmware.com/security/advisories/VMSA-2019-0018.html
  • October 25th 2019 at 16:16
  • β†—

More on DNS Archeology (with PowerShell), (Fri, Oct 25th)

I while back I posted a "part 1" story on DNS and DHCP recon ( https://isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ) and recent events have given me some more to share on the topic.
  • October 25th 2019 at 15:13
  • β†—

Your Supply Chain Doesn't End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th)

Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price.
  • October 24th 2019 at 05:53
  • β†—

Testing TLSv1.3 and supported ciphers, (Tue, Oct 22nd)

Few months ago I posted a series (well, actually 2) diaries about testing SSL/TLS configuration – if you missed them, the diaries are available here and here.
  • October 22nd 2019 at 19:36
  • β†—

What's up with TCP 853 (DNS over TLS)?, (Mon, Oct 21st)

I was looking at some of our data lat last week and noticed an increase probes on tcp %%port:853%%. For those of you who aren't aware, tcp port 853 is assigned to DNS over TLS as defined in RFC 7858. DNS over TLS (or DoT) was defined in 2016 as a way of hiding the contents of DNS requests from prying eyes on the network since DNS normally occurs in the clear over %%port:53%%. Of course, over the last few months all of the discussion has actually been about an alternative to DoT, DNS over HTTPS (or DoH) defined in RFC 8484, since the major web browser vendors (Google and Mozilla) have announced that they are or will be supporting DoH within the browser in the near future. For the moment, I'll stay out of the debate about the merits of DoT vs. DoH. But, back to this story, since I noticed the increase onΒ port 853, let's discuss DoT.Β Because DoT requires setting up a TLS connection, it was defined as a TCP protocol (where DNS was primarily UDP).Β There was a subsequent RFC 8094 which defined DNS over DTLS which moved this back to UDP, but obviously required more traffic to set up the initual TLS encryption, though once established could then potentially be pretty efficient. I had actually setup DoT on my home (bind9) DNS server just a few weeks ago using stunnel as described in the docs from isc.org, to do some testing, so seeing this increase got my attention (though I hadn't actually opened 853 to the internet, just to my internal network). I haven't setup a netcat listener or honeypot to capture the traffic, but you can see that while there were a couple of brief spikes in the number of targets late last year and then a ramping up starting around the beginning of September, the big jump including new scanners has just ramped up since the beginning of Oct. This first graph is 365 days.
  • October 21st 2019 at 18:20
  • β†—

Scanning Activity for NVMS-9000 Digital Video Recorder, (Sun, Oct 20th)

Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a "Stack Overflow in Base64 Authorization"[1].
  • October 20th 2019 at 23:35
  • β†—

What Assumptions Are You Making?, (Sat, Oct 19th)

If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. While it is preferable to think that everything is ok, it is much better to validate that assumption regularly.Β 
  • October 19th 2019 at 13:10
  • β†—

Quick Malicious VBS Analysis, (Fri, Oct 18th)

Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This techniqueΒ is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. The link was:
  • October 18th 2019 at 06:25
  • β†—

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.
  • October 17th 2019 at 09:54
  • β†—

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.
  • October 16th 2019 at 22:43
  • β†—

Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)

Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:
  • October 16th 2019 at 09:39
  • β†—

YARA's XOR Modifier, (Mon, Oct 14th)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.
  • October 14th 2019 at 18:21
  • β†—

YARA v3.11.0 released, (Sat, Oct 12th)

A new version of YARA was released: v3.11.0.
  • October 12th 2019 at 21:16
  • β†—

Mining Live Networks for OUI Data Oddness, (Thu, Oct 10th)

My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI.Β  (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
  • October 10th 2019 at 12:40
  • β†—

Microsoft October 2019 Patch Tuesday, (Tue, Oct 8th)

This month we got patches for 59 vulnerabilities total.Β None of them have been previously disclosed nor are being exploited according to Microsoft.Β 
  • October 8th 2019 at 17:58
  • β†—

visNetwork for Network Data, (Sun, Oct 6th)

DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued
  • October 6th 2019 at 00:55
  • β†—

Buffer overflows found in libpcap and tcpdump, (Thu, Oct 3rd)

It is always a bit worrisome when vulnerabilities are found in our favorite tools, but our tools are software like any other software and can have bugs, too. One of the feeds I have in my RSS reader is NIST National Vulnerability Database (NVD) feed. Earlier today, I noticed a bunch of CVEs show up there for libpcap and tcpdump. I hadn't noticed any major announcements of new versions or any automatic updates of those tools on any of my linux boxes, so I decided to head straight to the source, www.tcpdump.org. It turns out, there were new versions of both libpcap (new version is 1.9.1) and tcpdump (version 4.9.3) released on Monday. And, there under latest releases, it notes that this release "addresses a large number of vulnerabilities." It should also be noted, this is the first release in over 2 years. Quite of few of the vulnerabilities have CVEs dating from 2018. In all, this update addresses 33 CVEs. Hopefully, the major linux distros will roll out updates over the next few days or weeks. I haven't seen any indication that folks have tried to craft traffic to exploit any of these vulnerabilities, but that is always a concern when a tool like tcpdump or wireshark or the like has buffer overflows in their protocol parsers/decoders/dissectors. So, if you use tcpdump and/or any libpcap-based tools in your toolbox for network monitoring or network forensics, be on the lookout for updates from your linux distro or tool vendor or just go ahead and build your own copy from source.
  • October 4th 2019 at 05:27
  • β†—

"Lost_Files" Ransomware, (Thu, Oct 3rd)

Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers!Β They don’t reinvent the wheel and re-use code published here and there. I spotted aΒ ransomware which looked like an old one.
  • October 3rd 2019 at 06:06
  • β†—

A recent example of Emotet malspam, (Wed, Oct 2nd)

Shown below is an example of malicious spam (malspam) pushing Emotet malware.Β  It has an attached Word document with macros designed to install Emotet on a vulnerable Windows host.
  • October 2nd 2019 at 02:37
  • β†—

A Quick Look at Some Current Comment Spam, (Tue, Oct 1st)

As pretty much everybody else allowing comments, our site is getting its fair share of spam. Over the years, we implemented a number of countermeasures, so it is always interesting to see what makes it past these countermeasures. There are a number of recurring themes when it comes to spam:
  • October 1st 2019 at 17:25
  • β†—
❌