FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Auth-mageddon deferred (but not averted), Microsoft LDAP Changes now slated for Q3Q4 2020, (Thu, Feb 13th)

Good news, sort-of - - Microsoft has deferred their March changes to LDAP, citing the Christmas change freeze that most sensible organizations implement as their reason:
  • February 13th 2020 at 13:47
  • β†—

March Patch Tuesday is Coming - the LDAP Changes will Change Your Life!, (Wed, Feb 12th)

Next month Microsoft will be changing the default behaviour for LDAP - Cleartext, unsigned LDAP queries against AD (over port 389) will be disabled by default -Β https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windowsΒ  .Β  You'll still be able to over-ride that using registry keys or group policy, but the best advice is to configure all LDAP clients to use encrypted, signed LDAPS queries (over port 636).
  • February 13th 2020 at 01:21
  • β†—

Current PayPal phishing campaign or "give me all your personal information", (Mon, Feb 10th)

One of my colleagues sent me a new PayPal phishing e-mail today. Although it was fairly usual, as phishing e-mails go, since the campaign is still active and since it shows the current "let’s take all that we can get" mentality of the attackers quite well, I thought it was worth a short diary.
  • February 10th 2020 at 08:27
  • β†—


Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript , (Fri, Feb 7th)

I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper:Β it extracts from its code a DLL that will beΒ loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].
  • February 7th 2020 at 07:40
  • β†—

Analysis of a triple-encrypted AZORult downloader, (Mon, Feb 3rd)

I recently came across an interesting malicious document. Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. However, although it does use macros as one might expect, in the end, it turned out not to be the usual simple maldoc as the following chart indicates.
  • February 3rd 2020 at 07:07
  • β†—


Video: Stego & Cryptominers, (Sun, Feb 2nd)

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
  • February 2nd 2020 at 13:27
  • β†—

Wireshark 3.2.1 Released, (Sat, Feb 1st)

Wireshark version 3.2.1 was released.
  • February 1st 2020 at 11:31
  • β†—

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
  • January 27th 2020 at 17:31
  • β†—

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
  • January 26th 2020 at 12:08
  • β†—

Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)

Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection.
  • January 23rd 2020 at 07:25
  • β†—

DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)

Happy New Year! Those among you who participated in theΒ SANS Holiday Hack Challenge, also known asΒ Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me withΒ DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.
  • January 21st 2020 at 06:13
  • β†—

Citrix ADC Exploits Update, (Mon, Jan 20th)

In today's diary, I am summarizing the current state of attacks exploiting theΒ Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].
  • January 20th 2020 at 04:21
  • β†—

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)

Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the β€œBlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
  • January 16th 2020 at 21:55
  • β†—

Picks of 2019 malware - the large, the small and the one full of null bytes, (Thu, Jan 16th)

Although less than two days have gone by since the latest release of MSFT patches, I find that it would actually be hard to add anything interesting to them that hasn’t been discussed before, as the most important vulnerabilities (couple of RCEs and an interesting vulnerability in CryptoAPI) seemed to be all anyone talked about for the last 24 hours. If you didn’t hear anything about it, I suggest you take a look at the ISC coverage of the CryptoAPI vulnerability[1] as well as the Patch Tuesday overview[2]. But for the rest of us, I thought today might be a good day to take a short break from this topic and take a look at what the last year brought us instead.
  • January 16th 2020 at 06:57
  • β†—

CVE-2020-0601 Followup, (Wed, Jan 15th)

Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, seeΒ https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast!
  • January 16th 2020 at 02:52
  • β†—

Microsoft Patch Tuesday for January 2020, (Tue, Jan 14th)

[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
  • January 14th 2020 at 21:22
  • β†—

Citrix ADC Exploits: Overview of Observed Payloads, (Mon, Jan 13th)

If you missed Johannes' diary entry "Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor" this Saturday, make sure to read it first.
  • January 13th 2020 at 10:34
  • β†—

ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th)

In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress.Β 
  • January 12th 2020 at 23:51
  • β†—

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)

IMPORTANT UPDATE: CITRIX announced that a patch will be released on January 20th for Citrix ADC 11/12 and 13. Version 10 will have to wait until January 31st.Β  (https://support.citrix.com/article/CTX267027)
  • January 11th 2020 at 20:52
  • β†—

More Data Exfiltration, (Fri, Jan 10th)

Yesterday,Β  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called β€˜Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.
  • January 10th 2020 at 06:38
  • β†—

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples!Β I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
  • January 9th 2020 at 12:15
  • β†—

Windows 7 - End of Life, (Thu, Jan 9th)

A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1]Β 
  • January 9th 2020 at 02:41
  • β†—

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)

For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. But other sources I consider credibleΒ have indicated that they were able to create a code execution exploit.
  • January 7th 2020 at 13:16
  • β†—

SNMP service: still opened to the public and still queried by attackers, (Mon, Jan 6th)

Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.
  • January 6th 2020 at 21:05
  • β†—
❌