FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th)

While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one...
  • February 11th 2021 at 07:17
  • β†—

Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th)

This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed.
  • February 9th 2021 at 20:20
  • β†—


Quickie: tshark & Malware Analysis, (Mon, Feb 8th)

The following screenshot drew my attention when I read Brad's diary entry "Excel spreadsheets push SystemBC malware":
  • February 8th 2021 at 19:08
  • β†—

YARA v4.0.5, (Sat, Feb 6th)

YARA version 4.0.5 was released.
  • February 6th 2021 at 22:50
  • β†—

VBA Macro Trying to Alter the Application Menus, (Fri, Feb 5th)

Who remembers the worm Melissa[1]? It started to spread in March 1999! In information security, it looks like speaking aboutΒ prehistory but I spotted a VBA macro that tried to use the same defensive technique as Melissa. Yes, back in 1999, attackers already tried to use techniques to defeat users' protections. The sample macro has a low VT score (7/44) (SHA256:386e1a60011ff0a818adff8c638005ec5015930c1b35d06cacc11f3ab53725d0)[2].
  • February 5th 2021 at 06:40
  • β†—


Abusing Google Chrome extension syncing for data exfiltration and C&C, (Thu, Feb 4th)

I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. Some of the methods observed in analyzed code were pretty scary – from a defender’s point of view, as you will see further below in this diary.
  • February 4th 2021 at 10:04
  • β†—

New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd)

Last week, Brad posted a diary about TA551[1]. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided to have a look at the macro, not because the code is heavily obfuscated but data are spread at different locations in the Word document.
  • February 2nd 2021 at 08:06
  • β†—

Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st)

Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised.Β  The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches.Β  But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol".Β  Let's take it one step further and say "should my application server really be able to connect to arbitrary hosts on tcp/443 or udp/53 (or any other protocol)".Β  And when you phrase it that way, the answer really should be a simple "no".
  • February 1st 2021 at 14:17
  • β†—

Wireshark 3.4.3 Released, (Sun, Jan 31st)

Wireshark version 3.4.3 was released.
  • January 31st 2021 at 10:11
  • β†—

YARA v4.0.4, (Sun, Jan 31st)

YARA version 4.0.4 was released (right after version 4.0.3).
  • January 31st 2021 at 10:06
  • β†—

PacketSifter as Network Parsing and Telemetry Tool, (Sat, Jan 30th)

I saw PacketSifter[1], a new package on Github and figure I would give it a try to test its functionality. It is described as "PacketSifter is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files." It is less than a month old, initial release 31 Dec 2020 and last update 22 days ago.
  • January 30th 2021 at 14:13
  • β†—

Sensitive Data Shared with Cloud Services, (Fri, Jan 29th)

Yesterday was the data protection day in Europe[1]. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild[2]:Β  14GB compressed, 77M credentials.
  • January 29th 2021 at 06:56
  • β†—

Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th)

Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal) .The encoding used by the maldoc is very similar to what Didier Stevens analyzed in his recent diary, and the same method can be used to extract the mal-code from the current Emotet docs.
  • January 28th 2021 at 00:02
  • β†—

TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop), (Wed, Jan 27th)

If you’re a regular reader of our Diaries, you may remember that over the last year and a half, a not insignificant portion of my posts has been devoted to discussing some of the trends in internet-connected systems. We looked at changes in the number of internet-facing machines affected by BlueKeep[1], SMBGhost[2], Shitrix[3] and several other vulnerabilities [4] as well as at the changes in TLS 1.3 support over time[5] and several other areas [6,7].Β  Today, we’re going to take a look at the tool, that I’ve used to gather data, on which the Diaries were based, from Shodan.io.
  • January 27th 2021 at 09:51
  • β†—

Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th)

DOH (DNS over HTTPS) has been implemented into the various browsers over the last year or so, and there's a fair amount of support for it on public DNS services.Β  Because it's encrypted and over TCP, the mantra of "because privacy" has carried the day it looks like.Β  But why do network and system admins hate it so?
  • January 25th 2021 at 17:49
  • β†—


Video: Doc & RTF Malicious Document, (Sun, Jan 24th)

I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files.
  • January 24th 2021 at 15:05
  • β†—

CyberChef: Analyzing OOXML Files for URLs, (Sat, Jan 23rd)

In diary entry "Doc & RTF Malicious Document" I start analyzing a malicious Word document with my tools.
  • January 23rd 2021 at 09:39
  • β†—

Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd)

When hunting, one thing that I likeΒ to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the β€˜.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!
  • January 22nd 2021 at 08:59
  • β†—

Powershell Dropping a REvil Ransomware, (Thu, Jan 21st)

I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces[1]. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VTΒ score: onlyΒ 1/59![2].
  • January 21st 2021 at 10:13
  • β†—

Gordon for fast cyber reputation checks, (Tue, Jan 19th)

Gordon quickly provides threat & risk information about observables
  • January 19th 2021 at 03:15
  • β†—


Doc & RTF Malicious Document, (Mon, Jan 18th)

A reader pointed us to a malicious Word document.
  • January 18th 2021 at 06:48
  • β†—

New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)

Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity.
  • January 17th 2021 at 11:53
  • β†—

Obfuscated DNS Queries, (Fri, Jan 15th)

This week I started seeing some URL with /dns-query?dns in my honeypot[1][2]. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve.
  • January 16th 2021 at 17:35
  • β†—

Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)

Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros.
  • January 14th 2021 at 10:16
  • β†—

Microsoft January 2021 Patch Tuesday, (Tue, Jan 12th)

This month we got patches for 83 vulnerabilities. Of these, 10 are critical, one was previously disclosed, and one is already being exploited according to Microsoft.
  • January 12th 2021 at 18:45
  • β†—

Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th)

Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/ and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Playing+with+Code+Part+2+of+3/26964/), for any client I typically create 4 inventories:
  • January 11th 2021 at 16:27
  • β†—
❌