FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)

Justin C alerted me in our Slack channel that GreyNoise, a commercial system similar to DShield, noted a large increase in the number of sources scanning. We do have these "Spikes" from time to time and had one for the last two days. Artifacts are usually not lasting that long, and we also did not have a notable change in the number of submitters. So I took a quick look at the data, and here is what I found:
  • January 6th 2020 at 05:05
  • β†—

etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)

Over the holidays, I wanted to look into a packet capture file I created on Windows with a "netsh trace" command. Such an .etl file created with a "netsh trace" command can not be opened with Wireshark, you have to use Microsoft Message Analyzer.
  • January 5th 2020 at 12:48
  • β†—

KringleCon 2019, (Sat, Jan 4th)

The SANS Holiday Hack Challenge is an annual, free CTF.
  • January 4th 2020 at 17:26
  • β†—

CCPA - Quick Overview, (Fri, Jan 3rd)

It's been quiet lately.Β  Hopefully, it is not aΒ calm before aΒ storm if you will.Β  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.Β  Β So I poked around the Interwebs toΒ learn about what to expect.Β  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.Β  I do think it is a sign of what is coming.Β Β  Europe implemented the General Data Protection Regulation a couple of years ago.Β  There are more states adopting more consumer protections each year.Β  Let's hope they have enough teeth to have an impact.Β  I took some time to read through the law [1] to highlight it for you.Β  Please note, I am not an attorney or even have interest in being one.Β  Let's take a look.
  • January 3rd 2020 at 05:04
  • β†—

Ransomware in Node.js, (Thu, Jan 2nd)

Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothingΒ changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implementsΒ ransomware featuresΒ developed in Node.js[1]! The stage oneΒ is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].
  • January 2nd 2020 at 08:09
  • β†—

"Nim httpclient/1.0.4", (Wed, Jan 1st)

"Nim httpclient/1.0.4" is the default User Agent string of the httpClient module of the Nim programming language (stable release).
  • January 1st 2020 at 18:12
  • β†—

Miscellaneous Updates to our "Threatfeed" API, (Mon, Dec 30th)

Much of the data offered by us is available via our API [1]. A popular feature of our API is our "threat feeds." We use them to distribute lists of IP addresses and hostnames that you may want to block. In particular, our feeds of mining pool IPs and hosts used by Shodan are popular. This weekend, I added a feed for Onyphe [2]. Onyphe is comparable to Shodan, and I do see a lot of scans from them lately, which is why I added the feed. While I was messing with the API, I also added the ability to retrieve hostnames in addition to IP addresses.
  • December 30th 2019 at 01:22
  • β†—

ELK Dashboard for Pihole Logs, (Sun, Dec 29th)

In my last Pihole Diary, I shared a Pihole parser to collect its logs and stored them into Elastic. In this diary, I'm sharing a dashboard to visualize the Pihole DNS data. Here are some of the output from the dashboard.
  • December 29th 2019 at 19:48
  • β†—

Corrupt Office Documents, (Sat, Dec 28th)

My tool to analyze CFBF files, oledump.py, is not only used to analyze malicious Office documents.
  • December 28th 2019 at 17:38
  • β†—

Enumerating office365 users, (Fri, Dec 27th)

I found a pretty strange request in a University Firewall being sent over and over:
  • December 27th 2019 at 19:19
  • β†—

Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and itsΒ most interesting feature is the use of a classic technique to bypass UAC[2].
  • December 26th 2019 at 07:53
  • β†—

Merry christmas!, (Wed, Dec 25th)

We wish you and your families a merry christmas!
  • December 25th 2019 at 22:18
  • β†—

Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th)

The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as:
  • December 25th 2019 at 22:15
  • β†—

New oledump.py plugin: plugin_version_vba, (Mon, Dec 23rd)

In diary entry "VBA Office Document: Which Version?", I explain how to identify the Office version that was used to create a document with VBA macros.
  • December 23rd 2019 at 17:43
  • β†—

Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd)

I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.
  • December 22nd 2019 at 11:01
  • β†—

Wireshark 3.2.0 Released, (Sat, Dec 21st)

Wireshark version 3.2.0 was released, with many improvements.
  • December 21st 2019 at 09:57
  • β†—

More DNS over HTTPS: Become One With the Packet. Be the Query. See the Query, (Thu, Dec 19th)

Two days ago, I wrote about how to profile traffic to recognize DNS over HTTPS. This is kind of a problem for DNS over HTTPS. If you can see it, you may be able to block it. On Twitter, a few chimed in to provide feedback about recognizing DNS over HTTPS. I checked a couple of other clients, and well, didn't have a ton of time so this is still very preliminary:
  • December 19th 2019 at 16:38
  • β†—

Is it Possible to Identify DNS over HTTPs Without Decrypting TLS?, (Tue, Dec 17th)

Whenever I talk about DNS over HTTPS (DoH), the question comes up if it is possible to fingerprint DoH traffic without decrypting it. The idea is that something about DoH packets is different enough to identify them.
  • December 17th 2019 at 03:47
  • β†—

Malicious .DWG Files?, (Mon, Dec 16th)

This weekend, I took a look at AutoCAD drawing files (.dwg) with embedded VBA macros.
  • December 16th 2019 at 01:21
  • β†—

VirusTotal Email Submissions, (Sun, Dec 15th)

I think it's a good idea to highlight VirusTotal's Email Submission feature, as I recently had to point this out to a couple of people.
  • December 15th 2019 at 12:13
  • β†—

(Lazy) Sunday Maldoc Analysis: A Bit More ..., (Sat, Dec 14th)

At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.
  • December 14th 2019 at 20:08
  • β†—

Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th)

Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals…
  • December 13th 2019 at 07:26
  • β†—


Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)

In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topicΒ that was always debated is the reuse of existing code. Indeed, for a developer, it's tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, it's a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... but it's not today's topic. Malware developers are also developers and have the same behavior. Code reuse has been already discussed several times[1]. For example, tools exist to detect cloned or reused code in the IDA disassembler[2][3].
  • December 12th 2019 at 07:47
  • β†—

Microsoft December 2019 Patch Tuesday, (Tue, Dec 10th)

This month we got patches for 36Β vulnerabilities total. From those, sevenΒ are rated critical and oneΒ is already being exploited according to Microsoft.Β 
  • December 10th 2019 at 21:51
  • β†—

(Lazy) Sunday Maldoc Analysis, (Mon, Dec 9th)

I received another malicious Word document: with VBA macros and string obfuscation, launching a PowerShell downloader. As classic as they come.
  • December 9th 2019 at 00:08
  • β†—

Wireshark 3.0.7 Released, (Sun, Dec 8th)

Wireshark version 3.0.7 was released.
  • December 8th 2019 at 09:18
  • β†—

Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)

I wanted to parse and ingest my Pi-hole DNS logs for a while now in Elasticsearch to be able to analyze them in various ways. I wrote four separate Grok parser for Logstash to send the logs to a ELK stack. I am now able to view and analyze which domains have been Sinkhole by gravity.list or regex.list (custom wildcard lists) and create the necessary dashboards to report on the DNS traffic. This is an example of the output in Discover. In this example, I have filtered out the dns_type: forwarded.
  • December 7th 2019 at 20:45
  • β†—

Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)

Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however.
  • December 6th 2019 at 06:59
  • β†—

E-mail from Agent Tesla, (Thu, Dec 5th)

Last Thursday, only a day after Brad wrote a Diary about discovering Agent Tesla sample in Any.Run[1], I found a request for analysis of a suspicious file in my inbox. The file turned out to be the first part of a multi-stage downloader for Agent Tesla and since Brad wrote about what happens after this malware arrives at the target (i.e. data exfiltration using SMTP), I thought that a closer look at what comes before the infection might nicely complete the picture of how the malware operates.
  • December 5th 2019 at 07:18
  • β†—

Analysis of a strangely poetic malware, (Wed, Dec 4th)

Although given its name, one might expect this diary to be about the Elk Cloner[1], that is not the case. The malware we will take a look at is recent and much simpler, yet still interesting in its own way.
  • December 4th 2019 at 07:50
  • β†—

Next up, what's up with TCP port 26?, (Mon, Dec 2nd)

Whenever I sign up for another shift, if I don't already have a diary topic in mind, I take a look at the top 10 ports in the dashboard when I login to isc.sans.edu. For the last few weeks, I've noticed %%port:26%% showing up, so I decided to see if I could figure out what was going on there.
  • December 2nd 2019 at 19:37
  • β†—

ISC Snapshot: Search with SauronEye, (Fri, Nov 29th)

SauronEye is a search tool built to aid red teams in finding files containing specific keywords.
  • November 29th 2019 at 03:11
  • β†—
❌