FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Nested .MSGs: Turtles All The Way Down, (Mon, Oct 12th)

A reader had problems extracting the attachment inside an .MSG file, and asked me for help.
  • October 12th 2020 at 17:38
  • ↗

Analyzing MSG Files With plugin_msg_summary, (Sun, Oct 11th)

I've written a couple of diary entries about analyzing .MSG files (Outlook messages) with my tool oledump.py, that resulted in a dedicated plugin: plugin_msg.
  • October 11th 2020 at 21:01
  • ↗

Open Packaging Conventions, (Sat, Oct 10th)

Office files like .docx, .xlsm, ... are Office Open XML (OOXML) files: a ZIP container containing XML files and possibly other file types.
  • October 10th 2020 at 19:17
  • ↗

Phishing kits as far as the eye can see, (Fri, Oct 9th)

If you’ve never delved too deep into the topic of phishing kits, you might – quite reasonably – expect that they would be the sort of tools, which are traded almost exclusively on dark web marketplaces. This is however not the case – many phishing kits (or “scam pages” or “scamas” as they are called by their creators) are quite often offered fairly openly on the indexed part of the web as well, as are the corresponding “letters” (i.e. the e-mail templates), e-mail validity checkers and other related tools. You may take a look at what is out there yourself – simply search for “scam page” along with the name of your favorite large bank or major online service on Google…
  • October 9th 2020 at 05:41
  • ↗

Obfuscation and Repetition, (Mon, Oct 5th)

The obfuscated payload of a maldoc submitted by a reader can be quickly extracted with the "strings method" I explained in diary entry "Quickie: String Analysis is Still Useful".
  • October 5th 2020 at 20:35
  • ↗

Nmap 7.90 Released, (Sun, Oct 4th)

Nmap 7.90 is released, right after the release of Npcap 1.00, .
  • October 4th 2020 at 09:45
  • ↗

Scanning for SOHO Routers, (Sat, Oct 3rd)

In the past 30 days lots of scanning activity looking for small office and home office (SOHO) routers targeting Netgear.
  • October 3rd 2020 at 20:19
  • ↗

Analysis of a Phishing Kit, (Fri, Oct 2nd)

Sometimes, attackers make mistakes and allow security researchers to access interesting resources. This time, it's another phishing kit that was left in the wild on the compromised server.
  • October 2nd 2020 at 07:43
  • ↗

IOC's turning into IOOI's, (Thu, Oct 1st)

Remember, back in the days, when the anti-virus vendors looked with derision at some of their competition, exclaiming "But they are using just SIGNATURES. Our tool detects BEHAVIOURS".  That was like 15 years ago. Fast forward to today, with many of the same vendors now selling "threat intelligence feeds" for good money, and the most frequent attributes pushed over these feeds are MD5/SHA1 hashes and IP addresses. The main thing that changed is that we now call these items "IOCs" (Indicators of Compromise) instead of "signatures", but they still mostly are what they always were: Binary fingerprints that are very easy for an attacker to change. 
  • October 1st 2020 at 10:40
  • ↗

Making sense of Azure AD (AAD) activity logs, (Thu, Oct 1st)

Chances are, you are quite familiar with the logs of your on-premises Active Directory (AD) domain controller. The corresponding Event IDs have been well documented over the years (though not thanks to Microsoft), and many blog posts have been written about how to use AD logs to detect Pass-the-Hash, brute force attempts, Kerberoasting, and more.
  • October 1st 2020 at 00:02
  • ↗

Scans for FPURL.xml: Reconnaissance or Not?, (Wed, Sep 30th)

A reader has been reporting an increase in scans for "FPURL.xml" against their IIS server. The file did not exist in this case, and the server returned a 404 error. Checking our honeypots, we found little to no requests for this URL. But our honeypots are currently not emulating IIS servers. These scans have been hitting IIS servers for a while, according to some other reports I found.
  • September 30th 2020 at 19:12
  • ↗


Managing Remote Access for Partners & Contractors, (Tue, Sep 29th)

Yesterday, I wrote a quick diary about a potential security issue that some Tyler customers faced[1]. Some people reacted to my diary with interesting comments in our forums. Two of them were interesting and deserve some review.
  • September 29th 2020 at 11:00
  • ↗

PowerShell Backdoor Launched from a ShellCode, (Mon, Sep 28th)

When you need to perform malicious actions on a victim's computer, the Internet is full of resources that can be reused, forked, slightly changed to meet your requirements. After all, why reinvent the wheel if some pieces of code are available on GitHub for free? If you developed some offensive tools for good reasons (because you're a pentester, a red teamer of just doing some research), chances are high that your code will be reused.
  • September 28th 2020 at 11:51
  • ↗

Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client, (Mon, Sep 28th)

One of our readers, a Tyler Technologies's customer, reported to us that he found this morning the Bomgar client[1] (BeyondTrust) installed on one of his servers. There is an ongoing discussion on Reddit with the same kind of reports[2].
  • September 28th 2020 at 10:10
  • ↗

Decoding Corrupt BASE64 Strings, (Sun, Sep 27th)

I was asked to help with the decoding of a BASE64 string that my base64dump.py tool could not handle.
  • September 27th 2020 at 18:27
  • ↗

Wireshark 3.2.7 Released, (Sun, Sep 27th)

Wireshark version 3.2.7 was released.
  • September 27th 2020 at 17:36
  • ↗

Securing Exchange Online [Guest Diary], (Fri, Sep 25th)

[This is a guest diary by Jason Dance]
  • September 25th 2020 at 13:26
  • ↗

Party in Ibiza with PowerShell, (Thu, Sep 24th)

Today, I would like to talk about PowerShell ISE or "Integration Scripting Environment"[1]. This tool is installed by default on all Windows computers (besides the classic PowerShell interpreter). From a malware analysis point of view, ISE offers a key feature: an interactive debugger! It provides all the classic features that you can expect from a debugger: breakpoints, step in, step over, step out, ... all of these features are available while you keep control of the environment to interact with the script through the help of other PowerShell commands. When you're facing a strongly obfuscated scripts, you could speed up the analysis with the help of carefully placed breakpoints. Let's have a look at a practical example.
  • September 24th 2020 at 06:55
  • ↗

Malicious Word Document with Dynamic Content, (Wed, Sep 23rd)

Here is another malicious Word document that I spotted while hunting. "Another one?" may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze them. I was recently asked to talk about Powershell (de)obfuscation techniques. When you're dealing with an incident in a corporate environment, you don't have time to investigate in deep. The incident must be resolved as soon as possible because the business must go on and a classic sandbox analysis is performed to get the feedback: It's malicious or not.
  • September 23rd 2020 at 07:27
  • ↗

Slightly broken overlay phishing, (Mon, Sep 21st)

At the Internet Storm Center, we often receive examples of interesting phishing e-mails from our readers. Of course, this is not the only source of interesting malicious messages in our inboxes – sometimes the phishing authors “cut out the middleman” and send their creations directly to us. Last week, this was the case with a slightly unusual (and slightly broken) phishing, which tries to use legitimate pages overlaid with a fake login prompt.
  • September 21st 2020 at 10:51
  • ↗

Analysis of a Salesforce Phishing Emails, (Sun, Sep 20th)

Over the past week, I have noticed several phishing emails linked to Salesforce asking to confirm the recipient’s email address.
  • September 20th 2020 at 19:30
  • ↗


A Mix of Python & VBA in a Malicious Word Document, (Fri, Sep 18th)

A few days ago, Didier wrote an interesting diary about embedded objects into an Office document[1]. I had a discussion about an interesting OLE file that I found. Because it used the same technique, I let Didier publish his diary first. Now, let's have a look at the document.
  • September 18th 2020 at 05:43
  • ↗

Suspicious Endpoint Containment with OSSEC, (Thu, Sep 17th)

When a host is compromised/infected on your network, an important step in the Incident Handling process is the “containment” to prevent further infections.  To place the device into a restricted environment is definitively better than powering off the system and, probably, lose some pieces of evidence.
  • September 17th 2020 at 05:36
  • ↗

Do Vulnerabilities Ever Get Old? Recent "Mirai" Variant Scanning for 20 Year Old Amanda Version?, (Wed, Sep 16th)

We always say how network security is changing every day. Take a long lunch, and you may miss a critical exploit. But sometimes, time appears to stand still. We just passed 1.6 Billion seconds in the Unix Epoch. Back when the Unix timestamp still had 9 digits, in the late 90s also known as "pre Y2K", one of the servers you may have used for backups was Amanda (Advanced Maryland Automatic Network Disk Archiver). Still active and alive today, back then Amanda V 2.3 was current. 
  • September 16th 2020 at 14:53
  • ↗

Not Everything About ".well-known" is Well Known, (Mon, Sep 14th)

More than 10 years ago, a first RFC was published describing the ".well-known" directory for web servers. The idea is pretty simple: Provide a standard location for files that are mostly intended for signaling and automatic retrieval. Before the introduction of .well-known, these files often ended up litering the document root, like for example robots.txt being probably the most popular example. Currently, .well-known is defined by RFC8615 [https://tools.ietf.org/html/rfc8615] . 
  • September 14th 2020 at 15:49
  • ↗

Creating patched binaries for pentesting purposes, (Sun, Sep 13th)

When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques.
  • September 14th 2020 at 03:38
  • ↗

Office Documents with Embedded Objects, (Sat, Sep 12th)

A reader asked about another malicious file, thinking it is an intentionally corrupt ZIP file.
  • September 12th 2020 at 13:35
  • ↗

What's in Your Clipboard? Pillaging and Protecting the Clipboard, (Fri, Sep 11th)

Recently I happened to notice that the Cisco AnyConnect VPN client clears the clipboard if you paste a password into it.  (Note - if you know and can type any of your passwords in 2020, you should at least partially examine your life choices).  Several password managers also do this "right thing" - retaining passwords in the clipboard is a great way for folks to accidentally paste that information into the worst possible place after login (like say into something that'll post that info into clear text log files), or in the worst case allows it to get stolen post-login.
  • September 11th 2020 at 12:39
  • ↗

A First Look at macOS 11 Big Sur Network Traffic (New! Now with more GREASE!), (Wed, Sep 9th)

In the next couple of months, Apple will likely release its next major update to macOS, "Big Sur" or also called macOS 11. I was able to install the most recent beta version of the operating system in a virtual machine to look at some of the network traffic. This should help you get ready for any oddities you may be seeing as users upgrade.
  • September 9th 2020 at 13:45
  • ↗

Microsoft September 2020 Patch Tuesday, (Tue, Sep 8th)

This month we got patches for 129 vulnerabilities. Of these, 23 are critical and none of them was previously disclosed or is being exploited according to Microsoft.
  • September 8th 2020 at 17:54
  • ↗

Office: About OLE and ZIP Files, (Mon, Sep 7th)

A reader asked if a particular Emotet sample was a malformed ZIP file. It is not, and I will explain why you might think it is in this diary entry.
  • September 7th 2020 at 16:41
  • ↗
❌