FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Secure vs. cleartext protocols - couple of interesting stats, (Mon, Mar 2nd)

For a very long time, there has been a strong effort aimed toward moving all potentially sensitive network-based communications from unencrypted protocols to the secure and encrypted ones. And with the recently released APWG report noting that 74% of phishing sites used HTTPS in the last quarter of 2019[1] and Apple’s supposed plan to start supporting only TLS certificates with no more than one year period of validity[2], I thought that this might be a good time to take a look the current protocol landscape on the internet. Specifically at how the support for protocols, which offer cryptographic protection to data in transit, has changed in relation to support of cleartext protocols in the last months.
  • March 2nd 2020 at 06:08
  • β†—

Hazelcast IMDG Discover Scan, (Sat, Feb 29th)

Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]
  • February 29th 2020 at 18:04
  • β†—

Show me Your Clipboard Data!, (Fri, Feb 28th)

Yesterday I've read an article[1] about the clipboard on iPhonesΒ and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).
  • February 28th 2020 at 06:11
  • β†—

Offensive Tools Are For Blue Teams Too, (Thu, Feb 27th)

Many offensive tools can be very useful for defenders too. Indeed, if they can help to gather more visibility about the environment that must be protected, why not use them?Β More information you get, more you can be proactive and visibility is key.Β A good example is the combination of a certificate transparency list[1] with a domain monitoring tool like Dnstwist[2], you could spot domains that have been registered and associated with a SSL certificate: It's a good indicator that an attack is being prepared (like a phishing campaign).
  • February 27th 2020 at 06:46
  • β†—

Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.
  • February 25th 2020 at 06:16
  • β†—

Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th)

Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.
  • February 24th 2020 at 18:44
  • β†—

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

I've mentioned Excel 4 macros before, a scripting technology that predates VBA.
  • February 23rd 2020 at 21:54
  • β†—

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

Today, it’s easy to guess if a piece of code is malicious or not. Many security solutionsΒ automatically detonateΒ itΒ into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques existΒ to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.
  • February 22nd 2020 at 12:28
  • β†—

Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st)

We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content,Β it’s always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word document that I quickly analysed. Thanks to him!
  • February 21st 2020 at 07:11
  • β†—

Whodat? Enumerating Who "owns" a Workstation for IR, (Thu, Feb 20th)

Eventually in almost every incident response situation, you have to start contacting the actual people who sit at the keyboard of affected stations.Β  Often you'll want them to step back from the keyboard or logout, for either remote forensics data collection or for remediation.Β  Or in the worst case, if you don't have remote re-imaging working in your shop, to either ship their station back to home base for re-imaging or to arrange a local resource to re-image the machien the hard way.
  • February 20th 2020 at 16:24
  • β†—

Discovering contents of folders in Windows without permissions, (Tue, Feb 18th)

I recently noticed an interesting side effect of the way in which Windows handles local file permissions, which makes it possible for a non-privileged user to brute-force contents of a folder for which they don’t have read access (e.g. Read or List folder contents) permissions. It is possible that it is a known technique, however as I didn’t find any write-ups on it anywhere, I thought I’d share it here.
  • February 18th 2020 at 06:17
  • β†—

curl and SSPI, (Mon, Feb 17th)

There's an interesting comment on Xavier's diary entry "Keep an Eye on Command-Line Browsers" (paraphrasing): a proxy with authentication will prevent wget and curl to access the Internet because they don't do integrated authentication.
  • February 17th 2020 at 18:09
  • β†—

SOAR or not to SOAR?, (Sun, Feb 16th)

Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.
  • February 16th 2020 at 17:22
  • β†—

bsdtar on Windows 10, (Sat, Feb 15th)

Reading Xavier's diary entry "Keep an Eye on Command-Line Browsers", I wondered when exactly curl was introduced in Windows 10?
  • February 15th 2020 at 19:23
  • β†—

Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type β€˜curl.exe’ on your Windows 10 host:
  • February 14th 2020 at 06:26
  • β†—

Auth-mageddon deferred (but not averted), Microsoft LDAP Changes now slated for Q3Q4 2020, (Thu, Feb 13th)

Good news, sort-of - - Microsoft has deferred their March changes to LDAP, citing the Christmas change freeze that most sensible organizations implement as their reason:
  • February 13th 2020 at 13:47
  • β†—

March Patch Tuesday is Coming - the LDAP Changes will Change Your Life!, (Wed, Feb 12th)

Next month Microsoft will be changing the default behaviour for LDAP - Cleartext, unsigned LDAP queries against AD (over port 389) will be disabled by default -Β https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windowsΒ  .Β  You'll still be able to over-ride that using registry keys or group policy, but the best advice is to configure all LDAP clients to use encrypted, signed LDAPS queries (over port 636).
  • February 13th 2020 at 01:21
  • β†—

Current PayPal phishing campaign or "give me all your personal information", (Mon, Feb 10th)

One of my colleagues sent me a new PayPal phishing e-mail today. Although it was fairly usual, as phishing e-mails go, since the campaign is still active and since it shows the current "let’s take all that we can get" mentality of the attackers quite well, I thought it was worth a short diary.
  • February 10th 2020 at 08:27
  • β†—


Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript , (Fri, Feb 7th)

I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper:Β it extracts from its code a DLL that will beΒ loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].
  • February 7th 2020 at 07:40
  • β†—

Analysis of a triple-encrypted AZORult downloader, (Mon, Feb 3rd)

I recently came across an interesting malicious document. Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. However, although it does use macros as one might expect, in the end, it turned out not to be the usual simple maldoc as the following chart indicates.
  • February 3rd 2020 at 07:07
  • β†—


Video: Stego & Cryptominers, (Sun, Feb 2nd)

A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
  • February 2nd 2020 at 13:27
  • β†—

Wireshark 3.2.1 Released, (Sat, Feb 1st)

Wireshark version 3.2.1 was released.
  • February 1st 2020 at 11:31
  • β†—

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
  • January 27th 2020 at 17:31
  • β†—

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
  • January 26th 2020 at 12:08
  • β†—
❌