FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green


Video: Stego & Cryptominers, (Sun, Feb 2nd)

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
  • February 2nd 2020 at 13:27
  • ↗

Wireshark 3.2.1 Released, (Sat, Feb 1st)

Wireshark version 3.2.1 was released.
  • February 1st 2020 at 11:31
  • ↗

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
  • January 27th 2020 at 17:31
  • ↗

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
  • January 26th 2020 at 12:08
  • ↗

Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)

Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection.
  • January 23rd 2020 at 07:25
  • ↗

DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)

Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.
  • January 21st 2020 at 06:13
  • ↗

Citrix ADC Exploits Update, (Mon, Jan 20th)

In today's diary, I am summarizing the current state of attacks exploiting the Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].
  • January 20th 2020 at 04:21
  • ↗

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)

Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the “BlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
  • January 16th 2020 at 21:55
  • ↗

Picks of 2019 malware - the large, the small and the one full of null bytes, (Thu, Jan 16th)

Although less than two days have gone by since the latest release of MSFT patches, I find that it would actually be hard to add anything interesting to them that hasn’t been discussed before, as the most important vulnerabilities (couple of RCEs and an interesting vulnerability in CryptoAPI) seemed to be all anyone talked about for the last 24 hours. If you didn’t hear anything about it, I suggest you take a look at the ISC coverage of the CryptoAPI vulnerability[1] as well as the Patch Tuesday overview[2]. But for the rest of us, I thought today might be a good day to take a short break from this topic and take a look at what the last year brought us instead.
  • January 16th 2020 at 06:57
  • ↗

CVE-2020-0601 Followup, (Wed, Jan 15th)

Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast!
  • January 16th 2020 at 02:52
  • ↗

Microsoft Patch Tuesday for January 2020, (Tue, Jan 14th)

[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
  • January 14th 2020 at 21:22
  • ↗

Citrix ADC Exploits: Overview of Observed Payloads, (Mon, Jan 13th)

If you missed Johannes' diary entry "Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor" this Saturday, make sure to read it first.
  • January 13th 2020 at 10:34
  • ↗

ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th)

In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 
  • January 12th 2020 at 23:51
  • ↗

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)

IMPORTANT UPDATE: CITRIX announced that a patch will be released on January 20th for Citrix ADC 11/12 and 13. Version 10 will have to wait until January 31st.  (https://support.citrix.com/article/CTX267027)
  • January 11th 2020 at 20:52
  • ↗

More Data Exfiltration, (Fri, Jan 10th)

Yesterday,  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called ‘Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.
  • January 10th 2020 at 06:38
  • ↗

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
  • January 9th 2020 at 12:15
  • ↗

Windows 7 - End of Life, (Thu, Jan 9th)

A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1] 
  • January 9th 2020 at 02:41
  • ↗

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)

For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. But other sources I consider credible have indicated that they were able to create a code execution exploit.
  • January 7th 2020 at 13:16
  • ↗

SNMP service: still opened to the public and still queried by attackers, (Mon, Jan 6th)

Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.
  • January 6th 2020 at 21:05
  • ↗

Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)

Justin C alerted me in our Slack channel that GreyNoise, a commercial system similar to DShield, noted a large increase in the number of sources scanning. We do have these "Spikes" from time to time and had one for the last two days. Artifacts are usually not lasting that long, and we also did not have a notable change in the number of submitters. So I took a quick look at the data, and here is what I found:
  • January 6th 2020 at 05:05
  • ↗

etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)

Over the holidays, I wanted to look into a packet capture file I created on Windows with a "netsh trace" command. Such an .etl file created with a "netsh trace" command can not be opened with Wireshark, you have to use Microsoft Message Analyzer.
  • January 5th 2020 at 12:48
  • ↗

KringleCon 2019, (Sat, Jan 4th)

The SANS Holiday Hack Challenge is an annual, free CTF.
  • January 4th 2020 at 17:26
  • ↗

CCPA - Quick Overview, (Fri, Jan 3rd)

It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.
  • January 3rd 2020 at 05:04
  • ↗

Ransomware in Node.js, (Thu, Jan 2nd)

Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].
  • January 2nd 2020 at 08:09
  • ↗

"Nim httpclient/1.0.4", (Wed, Jan 1st)

"Nim httpclient/1.0.4" is the default User Agent string of the httpClient module of the Nim programming language (stable release).
  • January 1st 2020 at 18:12
  • ↗

Miscellaneous Updates to our "Threatfeed" API, (Mon, Dec 30th)

Much of the data offered by us is available via our API [1]. A popular feature of our API is our "threat feeds." We use them to distribute lists of IP addresses and hostnames that you may want to block. In particular, our feeds of mining pool IPs and hosts used by Shodan are popular. This weekend, I added a feed for Onyphe [2]. Onyphe is comparable to Shodan, and I do see a lot of scans from them lately, which is why I added the feed. While I was messing with the API, I also added the ability to retrieve hostnames in addition to IP addresses.
  • December 30th 2019 at 01:22
  • ↗

ELK Dashboard for Pihole Logs, (Sun, Dec 29th)

In my last Pihole Diary, I shared a Pihole parser to collect its logs and stored them into Elastic. In this diary, I'm sharing a dashboard to visualize the Pihole DNS data. Here are some of the output from the dashboard.
  • December 29th 2019 at 19:48
  • ↗

Corrupt Office Documents, (Sat, Dec 28th)

My tool to analyze CFBF files, oledump.py, is not only used to analyze malicious Office documents.
  • December 28th 2019 at 17:38
  • ↗

Enumerating office365 users, (Fri, Dec 27th)

I found a pretty strange request in a University Firewall being sent over and over:
  • December 27th 2019 at 19:19
  • ↗

Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].
  • December 26th 2019 at 07:53
  • ↗
❌