FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th)

Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals…
  • December 13th 2019 at 07:26
  • ↗


Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)

In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, it's tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, it's a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... but it's not today's topic. Malware developers are also developers and have the same behavior. Code reuse has been already discussed several times[1]. For example, tools exist to detect cloned or reused code in the IDA disassembler[2][3].
  • December 12th 2019 at 07:47
  • ↗

Microsoft December 2019 Patch Tuesday, (Tue, Dec 10th)

This month we got patches for 36 vulnerabilities total. From those, seven are rated critical and one is already being exploited according to Microsoft. 
  • December 10th 2019 at 21:51
  • ↗

(Lazy) Sunday Maldoc Analysis, (Mon, Dec 9th)

I received another malicious Word document: with VBA macros and string obfuscation, launching a PowerShell downloader. As classic as they come.
  • December 9th 2019 at 00:08
  • ↗

Wireshark 3.0.7 Released, (Sun, Dec 8th)

Wireshark version 3.0.7 was released.
  • December 8th 2019 at 09:18
  • ↗

Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)

I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by gravity.list or regex.list (custom wildcard lists) and create the necessary dashboards to report on the DNS traffic. This is an example of the output in Discover. In this example, I have filtered out the dns_type: forwarded.
  • December 7th 2019 at 20:45
  • ↗

Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)

Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however.
  • December 6th 2019 at 06:59
  • ↗

E-mail from Agent Tesla, (Thu, Dec 5th)

Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this malware arrives at the target (i.e. data exfiltration using SMTP), I thought that a closer look at what comes before the infection might nicely complete the picture of how the malware operates.
  • December 5th 2019 at 07:18
  • ↗

Analysis of a strangely poetic malware, (Wed, Dec 4th)

Although given its name, one might expect this diary to be about the Elk Cloner[1], that is not the case. The malware we will take a look at is recent and much simpler, yet still interesting in its own way.
  • December 4th 2019 at 07:50
  • ↗

Next up, what's up with TCP port 26?, (Mon, Dec 2nd)

Whenever I sign up for another shift, if I don't already have a diary topic in mind, I take a look at the top 10 ports in the dashboard when I login to isc.sans.edu. For the last few weeks, I've noticed %%port:26%% showing up, so I decided to see if I could figure out what was going on there.
  • December 2nd 2019 at 19:37
  • ↗

ISC Snapshot: Search with SauronEye, (Fri, Nov 29th)

SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
  • November 29th 2019 at 03:11
  • ↗

Finding an Agent Tesla malware sample, (Wed, Nov 27th)

I was browsing through the Any Run sandbox looking through the public submissions of malware with pcaps of infection traffic from Tuesday 2019-11-26.  I found this one, and it's tagged agenttesla.  Agent Tesla is an information stealer.  Based on the file name, this Agent Tesla malware sample may have been disguised as an installer for Discord.
  • November 27th 2019 at 00:29
  • ↗

Lessons learned from playing a willing phish, (Tue, Nov 26th)

Replying to phishing e-mails can lead to some interesting experiences (besides falling for the scams they offer, that is). Since it doesn’t require a deep technical know-how or any special expertise, it is something I recommend everyone to try out at least once, as it can lead to some funny moments and show us that the phishing trade doesn’t always operate in the way we might expect it to.
  • November 26th 2019 at 11:07
  • ↗

My Little DoH Setup, (Mon, Nov 25th)

"DoH"[1], this 3-letters acronym is a buzzword on the Internet in 2019! It has been implemented in Firefox, Microsoft announced that Windows will support it soon. They are pro & con about encrypting DNS requests in  HTTPS but it's not the goal of this diary to restart the debate. In a previous diary, he explained how to prevent DoH to be used by Firefox[2] but, this time, I'll play on the other side and explain to you how to implement it in a way to keep control of your DNS traffic (read: how to keep an eye on DNS request performed by users and systems). For a while, I had the idea to test a DoH configuration but I had some requirements:
  • November 25th 2019 at 08:34
  • ↗

Local Malware Analysis with Malice, (Sat, Nov 23rd)

This project (Malice) provides the ability to have your own locally managed multi-engine malware scanning system. The framework allows the owner to analyze files for known malware. It can be used both as a command tool to analyze samples and review the results via a Kibana web interface. The Command-Line Interface (CLI) is used to scan a file or directory or can be setup to watch and scan new files when copied into a write only directory.
  • November 23rd 2019 at 21:53
  • ↗

Abusing Web Filters Misconfiguration for Reconnaissance, (Fri, Nov 22nd)

Yesterday, an interesting incident was detected while working at a customer SOC. They use a “next-generation” firewall that implements a web filter based on categories. This is common in many organizations today: Users' web traffic is allowed/denied based on an URL categorization database (like “adult content”, “hacking”, “gambling”, …). How was it detected? 
  • November 22nd 2019 at 06:34
  • ↗

Gathering information to determine unusual network traffic, (Thu, Nov 21st)

When working with threat intelligence, it's vital to collect indicators of compromise to be able to determine possible attack patterns. What could be catalogued as unusual network traffic? This is all traffic that is not being seen normally in the network, meaning that after building a frequence table all IP addresses shown less than 1% are suspicious and should be investigated.
  • November 21st 2019 at 21:45
  • ↗

Cheap Chinese JAWS of DVR Exploitability on Port 60001, (Tue, Nov 19th)

Looking at some local IP addresses in our database during class this week, I came across a host scanning exclusively for %%port:60001%%. Interestingly, we did see a marked increase in scans for this port in recent weeks. 
  • November 19th 2019 at 17:58
  • ↗

SMS and 2FA: Another Reason to Move away from It., (Mon, Nov 18th)

Developing applications around SMS has become very popular, with several companies offering simple to use APIs and attractive pricing to send and receive SMS. One security-related application of these SMS APIs (for the right or wrong reasons) has been simple two-factor authentication. This time, I don't want to talk so much about the security reasons not to use SMS to authenticate to critical systems, but some of the technical changes that are happening with SMS in the US and Canada.
  • November 18th 2019 at 04:55
  • ↗

Some packet-fu with Zeek (previously known as bro), (Mon, Nov 11th)

During an incident response process, one of the fundamental variables to consider is speed. If a net capture is being made where we can presumably find evidence that who and how is causing an incident, any second counts in order to anticipate the attacker in the cyber kill chain sequence.
  • November 14th 2019 at 19:42
  • ↗

November 2019 Microsoft Patch Tuesday, (Tue, Nov 12th)

Microsoft today patched a total of 74 vulnerabilities. This patch Tuesday release also includes two advisories. 15 of the vulnerabilities are rated critical.
  • November 12th 2019 at 18:23
  • ↗

Are We Going Back to TheMoon (and How is Liquor Involved)?, (Mon, Nov 11th)

Earlier today, we received an email from an analyst for a large corporation. He asked:
  • November 11th 2019 at 19:24
  • ↗

Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?, (Sun, Nov 10th)

After a news of "mass exploitation" of a specific vulnerability hits mainstream media, even organizations that don’t have a formal (or any) patch management process in place usually start to smell the ashes and try to quickly apply the relevant patches. Since media coverage of the recent BlueKeep campaign was quite extensive, I wondered whether the number of vulnerable machines would start diminishing significantly as a result.
  • November 10th 2019 at 10:53
  • ↗

Fake Netflix Update Request by Text, (Sat, Nov 9th)

In the past week, I have received texts asking to update my Netflix account information. It is obvious the URL listed in the text isn't Netflix. The text looks like this:
  • November 9th 2019 at 16:36
  • ↗

Microsoft Apps Diverted from Their Main Use, (Fri, Nov 8th)

This week, the CERT.eu[1] organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the "cat’n’mouse" game that Blue and Red teams are playing continuously. When the Blue team has detected an attack technique, they write a rule or implement a new control to detect or block it. Then, the Red team has to find an alternative attack path, and so one… A classic example is the detection of malicious via parent/child process relations. It’s quite common to implement the following simple rule (in Sigma[2] format):
  • November 8th 2019 at 07:02
  • ↗

Getting the best value out of security assessments, (Thu, Nov 7th)

Since my day job is all about hacking, I get a lot of questions (and there appears to be a lot of confusion) about what a vulnerability scan, penetration test or red team assessment is.
  • November 7th 2019 at 10:16
  • ↗

Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th)

I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild.  As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices.  So the next thing I did was check my Bluekeep scan results and was presented with this graph.
  • November 5th 2019 at 02:06
  • ↗

rConfig Install Directory Remote Code Execution Vulnerability Exploited, (Mon, Nov 4th)

Last week, Askar from Shells.Systems published two remote code execution (RCE) vulnerabilities in rConfig [1]. The blog post included details about these vulnerabilities and proof of concept code. Both vulnerabilities are trivially exploited by adding shell commands to specific URLs, and one of the vulnerabilities does not require authentication.
  • November 4th 2019 at 04:27
  • ↗
❌