FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green


Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript , (Fri, Feb 7th)

I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper: it extracts from its code a DLL that will be loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].
  • February 7th 2020 at 07:40
  • ↗

Analysis of a triple-encrypted AZORult downloader, (Mon, Feb 3rd)

I recently came across an interesting malicious document. Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. However, although it does use macros as one might expect, in the end, it turned out not to be the usual simple maldoc as the following chart indicates.
  • February 3rd 2020 at 07:07
  • ↗


Video: Stego & Cryptominers, (Sun, Feb 2nd)

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
  • February 2nd 2020 at 13:27
  • ↗

Wireshark 3.2.1 Released, (Sat, Feb 1st)

Wireshark version 3.2.1 was released.
  • February 1st 2020 at 11:31
  • ↗

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
  • January 27th 2020 at 17:31
  • ↗

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
  • January 26th 2020 at 12:08
  • ↗

Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)

Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection.
  • January 23rd 2020 at 07:25
  • ↗

DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)

Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.
  • January 21st 2020 at 06:13
  • ↗

Citrix ADC Exploits Update, (Mon, Jan 20th)

In today's diary, I am summarizing the current state of attacks exploiting the Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].
  • January 20th 2020 at 04:21
  • ↗

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)

Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the “BlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
  • January 16th 2020 at 21:55
  • ↗

Picks of 2019 malware - the large, the small and the one full of null bytes, (Thu, Jan 16th)

Although less than two days have gone by since the latest release of MSFT patches, I find that it would actually be hard to add anything interesting to them that hasn’t been discussed before, as the most important vulnerabilities (couple of RCEs and an interesting vulnerability in CryptoAPI) seemed to be all anyone talked about for the last 24 hours. If you didn’t hear anything about it, I suggest you take a look at the ISC coverage of the CryptoAPI vulnerability[1] as well as the Patch Tuesday overview[2]. But for the rest of us, I thought today might be a good day to take a short break from this topic and take a look at what the last year brought us instead.
  • January 16th 2020 at 06:57
  • ↗

CVE-2020-0601 Followup, (Wed, Jan 15th)

Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast!
  • January 16th 2020 at 02:52
  • ↗

Microsoft Patch Tuesday for January 2020, (Tue, Jan 14th)

[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
  • January 14th 2020 at 21:22
  • ↗

Citrix ADC Exploits: Overview of Observed Payloads, (Mon, Jan 13th)

If you missed Johannes' diary entry "Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor" this Saturday, make sure to read it first.
  • January 13th 2020 at 10:34
  • ↗

ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th)

In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 
  • January 12th 2020 at 23:51
  • ↗

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)

IMPORTANT UPDATE: CITRIX announced that a patch will be released on January 20th for Citrix ADC 11/12 and 13. Version 10 will have to wait until January 31st.  (https://support.citrix.com/article/CTX267027)
  • January 11th 2020 at 20:52
  • ↗

More Data Exfiltration, (Fri, Jan 10th)

Yesterday,  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called ‘Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.
  • January 10th 2020 at 06:38
  • ↗

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
  • January 9th 2020 at 12:15
  • ↗

Windows 7 - End of Life, (Thu, Jan 9th)

A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1] 
  • January 9th 2020 at 02:41
  • ↗

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)

For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. But other sources I consider credible have indicated that they were able to create a code execution exploit.
  • January 7th 2020 at 13:16
  • ↗

SNMP service: still opened to the public and still queried by attackers, (Mon, Jan 6th)

Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.
  • January 6th 2020 at 21:05
  • ↗

Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)

Justin C alerted me in our Slack channel that GreyNoise, a commercial system similar to DShield, noted a large increase in the number of sources scanning. We do have these "Spikes" from time to time and had one for the last two days. Artifacts are usually not lasting that long, and we also did not have a notable change in the number of submitters. So I took a quick look at the data, and here is what I found:
  • January 6th 2020 at 05:05
  • ↗

etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)

Over the holidays, I wanted to look into a packet capture file I created on Windows with a "netsh trace" command. Such an .etl file created with a "netsh trace" command can not be opened with Wireshark, you have to use Microsoft Message Analyzer.
  • January 5th 2020 at 12:48
  • ↗

KringleCon 2019, (Sat, Jan 4th)

The SANS Holiday Hack Challenge is an annual, free CTF.
  • January 4th 2020 at 17:26
  • ↗

CCPA - Quick Overview, (Fri, Jan 3rd)

It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.
  • January 3rd 2020 at 05:04
  • ↗

Ransomware in Node.js, (Thu, Jan 2nd)

Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].
  • January 2nd 2020 at 08:09
  • ↗

"Nim httpclient/1.0.4", (Wed, Jan 1st)

"Nim httpclient/1.0.4" is the default User Agent string of the httpClient module of the Nim programming language (stable release).
  • January 1st 2020 at 18:12
  • ↗
❌