FreshRSS

πŸ”’
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)

DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. For smaller organizations, even an average attack can be devastating.
  • March 17th 2020 at 15:25

Desktop.ini as a post-exploitation tool, (Mon, Mar 16th)

Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however.
  • March 16th 2020 at 07:15

VPN Access and Activity Monitoring, (Sun, Mar 15th)

Because most individuals are going to have to work remotely from home, the activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP/UDP 443, IPsec/IKEv2 UDP 500/4500) with their associated logs to ensure these services are accessed by the right individuals and are not abused, exploited or compromised. It will be very important the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services. Capturing metrics about performance and availability will be very important to ensure mission critical systems and applications can be accessed to avoid downtime.
  • March 15th 2020 at 22:39

Phishing PDF With Incremental Updates., (Sat, Mar 14th)

Someone asked me for help with this phishing PDF.
  • March 14th 2020 at 21:54

VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC), (Fri, Mar 13th)

VMware Security Avisory VMSA-2020-0004 ( https://www.vmware.com/security/advisories/VMSA-2020-0004.html ) outlines a fix for a user-after-free bug in vmnetdhcp that allows guests to execute code in the host.Β  Affected platforms are: VMware Workstation Pro / Player, VMware Fusion Pro / Fusion, VMware Horizon Client for Windows, VMware Remote Console for Windows (VMRC for Windows)
  • March 13th 2020 at 11:39

Not all Ethernet NICs are Created Equal - Trying to Capture Invalid Ethernet Frames, (Fri, Mar 13th)

This all started with a simple request.Β  A client had purchased some new, shiny networking gear, and in each failover pair the active unit was sending 1 "Runt" per second.
  • March 13th 2020 at 01:08

Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account, (Wed, Mar 11th)

For a few days, there are new waves of Agent Tesla[1] landing in our mailboxes. I found one that uses two new "channels" to deliver the trojan.Β Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification. Not very well designed but it’s uncommon to see this.Β It started with a simple email:
  • March 11th 2020 at 09:06

Microsoft Patch Tuesday March 2020, (Tue, Mar 10th)

Microsoft today released patches for a total of 117 vulnerabilities. 25 of these vulnerabilities are rated critical. None of the vulnerabilities had been disclosed before today. Microsoft also has not seen any of them exploited in the wild.
  • March 11th 2020 at 00:04

Malicious Spreadsheet With Data Connection and Excel 4 Macros, (Mon, Mar 9th)

Reader Carsten submitted an interesting malicious spreadsheet: c2af8b309a9ce65e9ac67c6d3c3acbe7.
  • March 9th 2020 at 18:19

Excel Maldocs: Hidden Sheets, (Sun, Mar 8th)

Sheets in Excel workbooks can be hidden. To unhide them, right-click a sheet tab and select "Unhide":
  • March 8th 2020 at 23:01

Chain Reactor: Simulate Adversary Behaviors on Linux, (Sat, Mar 7th)

I am an advocate for the practice of adversary emulation to ensure detection efficacy. Candidly, I don’t consider a detection production-ready until it has been validated with appropriate adversary emulation to ensure the required triggers, alerts, and escalations are met. In many cases, basic human interaction can simulate the adversary per specific scenarios, but this doesn’t scale well. Applications and services to aid in this cause are essential. A couple of years ago IΒ discussed APTSimulatorΒ as a means by which to test and simulate theΒ HELK, but I haven’t given proper attention to adversary emulation on Linux. To that end,Β Chain ReactorΒ β€œis an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints. Executables can perform sequences of actions like process creation, network connections and more, through the simple configuration of a JSON file.”
  • March 7th 2020 at 04:25

A Safe Excel Sheet Not So Safe, (Fri, Mar 6th)

I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as β€œsuspicious” by a security appliance. The recipient asked to release the mail from the quarantine because β€œit was sent from a known contact”. Before releasing such a mail from the quarantine, the process in place is to have a quick look at the file to ensure that it is safe to be released.
  • March 6th 2020 at 06:49

Will You Put Your Password in a Survey?, (Thu, Mar 5th)

Thanks to one of our readers who submitted this interesting piece of phishing. Personally, I was not aware of this technique which is interesting to bypass common anti-spam filter and reputation systems. The idea is to create a fake survey on a well-known online service.
  • March 5th 2020 at 06:40

Let's Encrypt Revoking 3 Million Certificates, (Wed, Mar 4th)

Let's Encrypt announced that they will be revoking a large number of certificates today. The revocation is due to an error in how "CAA" records were validated for these certificates.
  • March 4th 2020 at 15:31

Secure vs. cleartext protocols - couple of interesting stats, (Mon, Mar 2nd)

For a very long time, there has been a strong effort aimed toward moving all potentially sensitive network-based communications from unencrypted protocols to the secure and encrypted ones. And with the recently released APWG report noting that 74% of phishing sites used HTTPS in the last quarter of 2019[1] and Apple’s supposed plan to start supporting only TLS certificates with no more than one year period of validity[2], I thought that this might be a good time to take a look the current protocol landscape on the internet. Specifically at how the support for protocols, which offer cryptographic protection to data in transit, has changed in relation to support of cleartext protocols in the last months.
  • March 2nd 2020 at 06:08

Hazelcast IMDG Discover Scan, (Sat, Feb 29th)

Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]
  • February 29th 2020 at 18:04

Show me Your Clipboard Data!, (Fri, Feb 28th)

Yesterday I've read an article[1] about the clipboard on iPhonesΒ and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).
  • February 28th 2020 at 06:11

Offensive Tools Are For Blue Teams Too, (Thu, Feb 27th)

Many offensive tools can be very useful for defenders too. Indeed, if they can help to gather more visibility about the environment that must be protected, why not use them?Β More information you get, more you can be proactive and visibility is key.Β A good example is the combination of a certificate transparency list[1] with a domain monitoring tool like Dnstwist[2], you could spot domains that have been registered and associated with a SSL certificate: It's a good indicator that an attack is being prepared (like a phishing campaign).
  • February 27th 2020 at 06:46

Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.
  • February 25th 2020 at 06:16

Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th)

Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.
  • February 24th 2020 at 18:44

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

I've mentioned Excel 4 macros before, a scripting technology that predates VBA.
  • February 23rd 2020 at 21:54

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

Today, it’s easy to guess if a piece of code is malicious or not. Many security solutionsΒ automatically detonateΒ itΒ into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques existΒ to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.
  • February 22nd 2020 at 12:28

Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st)

We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content,Β it’s always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word document that I quickly analysed. Thanks to him!
  • February 21st 2020 at 07:11

Whodat? Enumerating Who "owns" a Workstation for IR, (Thu, Feb 20th)

Eventually in almost every incident response situation, you have to start contacting the actual people who sit at the keyboard of affected stations.Β  Often you'll want them to step back from the keyboard or logout, for either remote forensics data collection or for remediation.Β  Or in the worst case, if you don't have remote re-imaging working in your shop, to either ship their station back to home base for re-imaging or to arrange a local resource to re-image the machien the hard way.
  • February 20th 2020 at 16:24

Discovering contents of folders in Windows without permissions, (Tue, Feb 18th)

I recently noticed an interesting side effect of the way in which Windows handles local file permissions, which makes it possible for a non-privileged user to brute-force contents of a folder for which they don’t have read access (e.g. Read or List folder contents) permissions. It is possible that it is a known technique, however as I didn’t find any write-ups on it anywhere, I thought I’d share it here.
  • February 18th 2020 at 06:17

curl and SSPI, (Mon, Feb 17th)

There's an interesting comment on Xavier's diary entry "Keep an Eye on Command-Line Browsers" (paraphrasing): a proxy with authentication will prevent wget and curl to access the Internet because they don't do integrated authentication.
  • February 17th 2020 at 18:09

SOAR or not to SOAR?, (Sun, Feb 16th)

Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.
  • February 16th 2020 at 17:22

bsdtar on Windows 10, (Sat, Feb 15th)

Reading Xavier's diary entry "Keep an Eye on Command-Line Browsers", I wondered when exactly curl was introduced in Windows 10?
  • February 15th 2020 at 19:23

Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type β€˜curl.exe’ on your Windows 10 host:
  • February 14th 2020 at 06:26
❌