FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Hunting phishing websites with favicon hashes, (Mon, Apr 19th)

HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense – since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.
  • April 19th 2021 at 09:05
  • β†—

Decoding Cobalt Strike Traffic, (Sun, Apr 18th)

In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.
  • April 18th 2021 at 11:42
  • β†—

Querying Spamhaus for IP reputation, (Fri, Apr 16th)

Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks.Β  In the subsequent 2+ yearsΒ that python script has evolved some which hopefully I can go over at some point in the future,Β but for now I would like to show you the most recent capability I added into that script.
  • April 17th 2021 at 03:07
  • β†—

HTTPS Support for All Internal Services, (Fri, Apr 16th)

SSL/TLS has been on stage for a while withΒ deprecated protocols[1], free certificates for everybody[2]. The landscape is changingΒ to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday[3], Chrome 90 will now append "https://" by default in the navigation bar. Yesterday diary covered the deployment of your own internal CA to generate certificates and switch everything to secure communications. This is a good point. Especially, by deploying your own root CA, you will add an extraΒ Β string to your securitybow: SSL interception and inspection.
  • April 16th 2021 at 05:42
  • β†—

Why and How You Should be Using an Internal Certificate Authority, (Thu, Apr 15th)

Yesterday, Google released Chrome 90, and with that "HTTPS" is becoming the default protocol if you enter just a hostname into the URL bar without specifying the protocol [1]. This is the latest indication that the EFF's "HTTPS Everywhere" initiative is succeeding [2][3]. Browsers are more and more likely to push users to encrypted content. While I applaud this trend, it does have a downside for small internal sites that often make it difficult to configure proper certificates. In addition, browsers are becoming pickier as to what certificates they accept. For example, in the "good old days", I could set up internal certificates that were valid for 10 years, not having to worry about the expiring. Currently, browsers will reject certificates valid for more than 13 months (398 days) [4].Β 
  • April 15th 2021 at 12:56
  • β†—

Microsoft April 2021 Patch Tuesday, (Tue, Apr 13th)

This month's score includes 114 Vulnerabilities. There are 19 Criticals this month with 4 previously disclosed and 1 being exploited.
  • April 13th 2021 at 18:56
  • β†—

No Python Interpreter? This Simple RAT Installs Its Own Copy, (Fri, Apr 9th)

For a while, I'm keeping an eye on malicious Python code targeting Windows environments[1][2]. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. Python is often available on developers, system/network administrators,Β or security teams. Like the proverb says: "You are never better served than by yourself", I found a simple Python backdoor that installs its own copy of the Python interpreter!
  • April 9th 2021 at 06:26
  • β†—

Simple Powershell Ransomware Creating a 7Z Archive of your Files, (Thu, Apr 8th)

If some ransomware families are based on PE files with complex features, it's easy to write quick-and-dirty ransomware in other languages likeΒ Powershell. I found this sample while hunting. I'm pretty confident that this script is a proof-of-concept or still under development because it does not contain all the requiredΒ components and includes some debugging information.
  • April 8th 2021 at 07:35
  • β†—

WiFi IDS and Private MAC Addresses, (Wed, Apr 7th)

I recently came across "nzyme" [1], a WiFi Intrusion Detection System (IDS). Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs. It was not terribly hard to get it running on a Raspberry Pi using a Panda USB WiFi adapter.
  • April 7th 2021 at 12:09
  • β†—

Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th)

Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer.
  • April 6th 2021 at 16:31
  • β†—

YARA and CyberChef: ZIP, (Sun, Apr 4th)

When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together.
  • April 4th 2021 at 20:01
  • β†—

Video: YARA and CyberChef, (Sat, Apr 3rd)

In diary entry "YARA and CyberChef", I explain how to use YARA rules together with CyberChef.
  • April 4th 2021 at 14:48
  • β†—

C2 Activity: Sandboxes or Real Victims?, (Fri, Apr 2nd)

In my last diary[1], I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the host and the number slightly increased but not so much. My diary conclusion was that the malware looks popular seeing the number of screenshots but wait… Are we sure that all those screenshots are real victims? I executed the malware in my sandbox and probably other automated analysis tools were used to detonate the malware in a sandbox. This question popped up in my mind: How do have an idea about the ratio of automated tools VS. real victims?
  • April 2nd 2021 at 05:13
  • β†—

April 2021 Forensic Quiz, (Thu, Apr 1st)

2021-04-01 21:41 UTC - UPDATE: The domain for the AD environment used in this quiz has been changed to clockwater.net.Β  We will still accept the original domain listed in the answers from any of the submissions.Β  We already have 10 submission as I write this.Β  Thanks to everyone who has participated or will still take part in this quiz!
  • April 1st 2021 at 21:43
  • β†—

Quick Analysis of a Modular InfoStealer, (Wed, Mar 31st)

This morning, an interesting phishing emailΒ landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. The filename was "AVISO.001" (ThisΒ extension is used by multi-volume archives). The archive contained a PE file with a very long name:Β AVISO11504122921827776385010767000154304736120425314155656824545860211706529881523930427.exe (SHA256:ff834f404b977a475ef56f1fa81cf91f0ac7e07b8d44e0c224861a3287f47c8c). The file is unknown on VT at this time so I did a quick analysis.
  • March 31st 2021 at 08:34
  • β†—

Old TLS versions - gone, but not forgotten... well, not really "gone" either, (Tue, Mar 30th)

With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case.
  • March 30th 2021 at 08:06
  • β†—

Jumping into Shellcode, (Mon, Mar 29th)

Malware analysis is exciting because you never know what you will find.Β In previous diaries[1], I already explained why it's important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code injection. Usually, it is based on something like this:
  • March 29th 2021 at 06:14
  • β†—

TCPView v4.0 Released, (Sun, Mar 28th)

TCPView is a Sysinternals' tool that displays information about the TCP and UDP endpoints on a system. It's like netstat, but with a GUI.
  • March 28th 2021 at 19:24
  • β†—

Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th)

Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6]
  • March 27th 2021 at 17:41
  • β†—

Office macro execution evidence, (Fri, Mar 26th)

Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.
  • March 26th 2021 at 00:02
  • β†—

Submitting pfSense Firewall Logs to DShield, (Thu, Mar 25th)

In my previous diaries, I wrote about pfSense firewalls [1], [2]. I hope the diaries have given some insight to current pfSense users, and also inspire individuals who have yet to deploy any form of information security mechanisms in their homes/personal networks to do so. At the SANS Internet Storm Center, we welcome interested participants to submit firewall logs to DShield [3]. In this diary entry, I would like to share how to do so if you are using a pfSense firewall. I also highlight some minor issues I discovered when I was trying set up the DShield pfSense client, and how to resolve them so you can send your logs to DShield successfully. Please remember to do a config backup on your pfSense firewall before changing anything, and test the changes made in a test network before deploying them into the production environment. At this point of writing, all configuration and testing were done on pfSense 2.5.0-RELEASE Community Edition.
  • March 25th 2021 at 00:52
  • β†—

Nim Strings, (Mon, Mar 22nd)

On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language.
  • March 22nd 2021 at 22:55
  • β†—


Video: Finding Metasploit & Cobalt Strike URLs, (Sun, Mar 21st)

I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation.
  • March 21st 2021 at 00:03
  • β†—

YARA Pre-release v4.1.0, (Sat, Mar 20th)

There's a new version of YARA on GitHub, a pre-release for version 4.1.0.
  • March 20th 2021 at 22:09
  • β†—

Pastebin.com Used As a Simple C2 Channel, (Fri, Mar 19th)

With the growing threat of ransomware attacks, they are other malicious activitiesΒ that have less attention today but they remain active. Think about crypto-miners. Yes, attackers continue to mine Monero on compromised systems. I spotted an interesting shell script that installs and runs a crypto-miner (SHA256:00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2[1]).
  • March 19th 2021 at 07:50
  • β†—

Simple Python Keylogger , (Thu, Mar 18th)

A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive informationΒ (usernames,Β passwords, IP addresses, hostnames, ...), just byΒ having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not.Β 
  • March 18th 2021 at 09:46
  • β†—

Defenders, Know Your Operating System Like Attackers Do!, (Wed, Mar 17th)

Not a technical diary today but more a reflection… When I’m teaching FOR610[1], I always remind students to β€œRTFM” or "Read the F… Manual". I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.
  • March 17th 2021 at 07:17
  • β†—
❌