FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Obfuscation and Repetition, (Mon, Oct 5th)

The obfuscated payload of a maldoc submitted by a reader can be quickly extracted with the "strings method" I explained in diary entry "Quickie: String Analysis is Still Useful".
  • October 5th 2020 at 20:35
  • β†—

Nmap 7.90 Released, (Sun, Oct 4th)

Nmap 7.90 is released, right after the release of Npcap 1.00, .
  • October 4th 2020 at 09:45
  • β†—

Scanning for SOHO Routers, (Sat, Oct 3rd)

In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear.
  • October 3rd 2020 at 20:19
  • β†—

Analysis of a Phishing Kit, (Fri, Oct 2nd)

Sometimes, attackers make mistakes and allow security researchersΒ to access interesting resources. This time, it's another phishing kit that was left in the wild on the compromised server.
  • October 2nd 2020 at 07:43
  • β†—

IOC's turning into IOOI's, (Thu, Oct 1st)

Remember, back in the days, when the anti-virus vendors looked with derision at some of their competition, exclaiming "But they are using just SIGNATURES. Our tool detects BEHAVIOURS". Β That was like 15 years ago. Fast forward to today, with many of the same vendors now selling "threat intelligence feeds" for good money, and the most frequent attributes pushed over these feeds are MD5/SHA1 hashes and IP addresses. The main thing that changed is that we now call these items "IOCs" (Indicators of Compromise) instead of "signatures", but they still mostly are what they always were: Binary fingerprints that are very easy for an attacker to change.Β 
  • October 1st 2020 at 10:40
  • β†—

Making sense of Azure AD (AAD) activity logs, (Thu, Oct 1st)

Chances are, you are quite familiar with the logs of your on-premises Active Directory (AD) domain controller. The corresponding Event IDs have been well documented over the years (though not thanks to Microsoft), and many blog posts have been written about how to use AD logs to detect Pass-the-Hash, brute force attempts, Kerberoasting, and more.
  • October 1st 2020 at 00:02
  • β†—

Scans for FPURL.xml: Reconnaissance or Not?, (Wed, Sep 30th)

A reader has been reporting an increase in scans for "FPURL.xml" against their IIS server. The file did not exist in this case, and the server returned a 404 error. Checking our honeypots, we found little to no requests for this URL. But our honeypots are currently not emulating IIS servers. These scans have been hitting IIS servers for a while, according to some other reports I found.
  • September 30th 2020 at 19:12
  • β†—


Managing Remote Access for Partners & Contractors, (Tue, Sep 29th)

Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced[1]. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some review.
  • September 29th 2020 at 11:00
  • β†—

PowerShell Backdoor Launched from a ShellCode, (Mon, Sep 28th)

When you need to perform malicious actions on a victim's computer, the Internet is full of resources that can be reused, forked, slightly changed to meet your requirements. After all, why reinvent the wheel if some pieces of code are available on GitHub for free? If you developed some offensive tools for good reasons (because you're a pentester, a red teamer of just doing some research), chances are high that your code will be reused.
  • September 28th 2020 at 11:51
  • β†—

Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client, (Mon, Sep 28th)

One of our readers,Β aΒ Tyler Technologies's customer,Β reported to us that he found this morning theΒ Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion onΒ RedditΒ with the same kind of reports[2].
  • September 28th 2020 at 10:10
  • β†—

Decoding Corrupt BASE64 Strings, (Sun, Sep 27th)

I was asked to help with the decoding of a BASE64 string that my base64dump.py tool could not handle.
  • September 27th 2020 at 18:27
  • β†—

Wireshark 3.2.7 Released, (Sun, Sep 27th)

Wireshark version 3.2.7 was released.
  • September 27th 2020 at 17:36
  • β†—

Securing Exchange Online [Guest Diary], (Fri, Sep 25th)

[This is a guest diary by Jason Dance]
  • September 25th 2020 at 13:26
  • β†—

Party in Ibiza with PowerShell, (Thu, Sep 24th)

Today, I would like to talk about PowerShell ISE orΒ "Integration Scripting Environment"[1]. This toolΒ is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: an interactive debugger! ItΒ provides all the classic features that you can expect from a debugger: breakpoints, step in, step over, step out, ... all of these features are available while you keep control of the environment to interact with the script through the help ofΒ other PowerShell commands. When you're facing a strongly obfuscated scripts, you could speed up the analysis with the help of carefully placed breakpoints.Β Let's have a look at a practical example.
  • September 24th 2020 at 06:55
  • β†—

Malicious Word Document with Dynamic Content, (Wed, Sep 23rd)

Here is another malicious Word document that I spotted while hunting. "Another one?" may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was recently asked to talk about Powershell (de)obfuscation techniques. When you're dealing with an incident in a corporate environment, you don't have time to investigate in deep. The incident must be resolved as soon as possible because the business must go on and a classic sandbox analysis is performed to get the feedback: It's malicious or not.
  • September 23rd 2020 at 07:27
  • β†—

Slightly broken overlay phishing, (Mon, Sep 21st)

At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes – sometimes the phishing authors β€œcut out the middleman” and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.
  • September 21st 2020 at 10:51
  • β†—

Analysis of a Salesforce Phishing Emails, (Sun, Sep 20th)

Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipient’s email address.
  • September 20th 2020 at 19:30
  • β†—


A Mix of Python & VBA in a Malicious Word Document, (Fri, Sep 18th)

A few days ago, Didier wrote an interestingΒ diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let's have a look at the document.
  • September 18th 2020 at 05:43
  • β†—

Suspicious Endpoint Containment with OSSEC, (Thu, Sep 17th)

When a host is compromised/infectedΒ on your network, an important step in the Incident Handling process is the β€œcontainment” to prevent further infections.Β  To place the device into a restricted environment is definitively better than powering off the system and, probably, lose some pieces of evidence.
  • September 17th 2020 at 05:36
  • β†—

Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?, (Wed, Sep 16th)

We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as "pre Y2K", one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current.Β 
  • September 16th 2020 at 14:53
  • β†—

Not Everything About ".well-known" is Well Known, (Mon, Sep 14th)

More than 10 years ago, a first RFC was published describing the ".well-known" directory for web servers. The idea is pretty simple: Provide a standard location for files that are mostly intended for signaling and automatic retrieval. Before the introduction of .well-known, these files often ended up litering the document root, like for example robots.txt being probably the most popular example. Currently, .well-known is defined by RFC8615 [https://tools.ietf.org/html/rfc8615] .Β 
  • September 14th 2020 at 15:49
  • β†—

Creating patched binaries for pentesting purposes, (Sun, Sep 13th)

When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques.
  • September 14th 2020 at 03:38
  • β†—

Office Documents with Embedded Objects, (Sat, Sep 12th)

A reader asked about another malicious file, thinking it is an intentionally corrupt ZIP file.
  • September 12th 2020 at 13:35
  • β†—

What's in Your Clipboard? Pillaging and Protecting the Clipboard, (Fri, Sep 11th)

Recently I happened to notice that the Cisco AnyConnect VPN client clears the clipboard if you paste a password into it.Β  (Note - if you know and can type any of your passwords in 2020, you should at least partially examine your life choices).Β  Several password managers also do this "right thing" - retaining passwords in the clipboard is a great way for folks to accidentally paste that information into the worst possible place after login (like say into something that'll post that info into clear text log files), or in the worst case allows it to get stolen post-login.
  • September 11th 2020 at 12:39
  • β†—

A First Look at macOS 11 Big Sur Network Traffic (New! Now with more GREASE!), (Wed, Sep 9th)

In the next couple of months, Apple will likely release its next major update to macOS, "Big Sur" or also calledΒ macOS 11. I was able to install the most recent beta version of the operating system in a virtual machine to look at some of the network traffic. This should help you get ready for any oddities you may be seeing as users upgrade.
  • September 9th 2020 at 13:45
  • β†—

Microsoft September 2020 Patch Tuesday, (Tue, Sep 8th)

This month we got patches for 129 vulnerabilities. Of these, 23Β are critical and none of them was previously disclosed or is being exploited according to Microsoft.
  • September 8th 2020 at 17:54
  • β†—

Office: About OLE and ZIP Files, (Mon, Sep 7th)

A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry.
  • September 7th 2020 at 16:41
  • β†—

A blast from the past - XXEncoded VB6.0 Trojan, (Fri, Sep 4th)

While going over what my e-mail malware quarantine caught during this week, I found a message which made me feel rather nostalgic. Among the usual maldocs, ZIPs and ACEs, there was also an e mail carrying an XXE file in its attachment.
  • September 4th 2020 at 07:38
  • β†—

Sandbox Evasion Using NTP, (Thu, Sep 3rd)

I'm still hunting for interesting (read: "malicious") Python samples. By reading my previous diaries, you know that I like to find how attackers implement obfuscation and evasion techniques. Like yesterday, I found a Python sample that creates a thread to run a malicious shellcode[1]. But before processing the shellcode, it performs suspicious network traffic:
  • September 3rd 2020 at 08:54
  • β†—

Python and Risky Windows API Calls, (Wed, Sep 2nd)

The Windows API is full of calls that are usually good indicators to guess the behavior of a script. In a previous diary, I wrote about some examples of "API call groups" that are clearly used together to achieve malicious activities[1]. If it is often used in PowerShell scripts, here is an interesting sample in Python that uses the same technique. It calls directly Windows API though 'ctypes'.Β 
  • September 2nd 2020 at 09:14
  • β†—

Exposed Windows Domain Controllers Used in CLDAP DDoS Attacks, (Tue, Sep 1st)

LDAP, like many UDP based protocols, has the ability to send responses that are larger than the request. With UDP not requiring any handshake before data is sent, these protocols make ideal amplifiers for reflective distributed denial of service attacks. Most commonly, these attacks abuse DNS and we have talked about this in the past. But LDAP is another protocol that is often abused.
  • September 1st 2020 at 18:04
  • β†—
❌