FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–³ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Are Cookie Banners a Waste of Time or a Complete Waste of Time?, (Thu, May 20th)

Legislation, in particular in the European Union, has led to a proliferation of "Cookie Banners." Warning banners that either ask you for blanket permission to set cookies or, in some cases, provide you with some control as to what cookies you do allow. These regulations emerged after advertisers made excessive use of HTTP Cookies to track users across different sites. But in my opinion, these measures are often implemented poorly.Β Changes in browsersΒ have made cookies far less menacing than they have been in the past due to changes made in browsers. Other tracking technologies are bound to replace cookies and, in some cases, already have.
  • June 10th 2021 at 12:08
  • β†—

Architecture, compilers and black magic, or "what else affects the ability of AVs to detect malicious files", (Wed, Jun 9th)

In my last diary, we went over the impact of different Base encodings on the ability of anti-malware tools to detect malicious code[1]. Since results of our tests showed (among other things) that AV tools in general still struggle significantly more with detecting 64-bit malicious code then 32-bit malicious code, I thought it might be interesting to discuss another factor that might impact the ability of AVs to detect malware – specifically the choice of a compiler.
  • June 9th 2021 at 11:23
  • β†—

Microsoft June 2021 Patch Tuesday, (Tue, Jun 8th)

This month we got patches for 50 vulnerabilities. Of these, 5 are critical, 2 were previously disclosed and 6 is already being exploited according to Microsoft.
  • June 8th 2021 at 17:57
  • β†—

Amazon Sidewalk: Cutting Through the Hype, (Mon, Jun 7th)

Later this week (tomorrow?), Amazon will enable its new Sidewalk feature. The feature has already gotten a lot of bad press. Much of this comes from the fact that existing devices are automatically used as Sidewalk Gateways, and users will have to opt out. New devices may require a specific opt-in during setup.
  • June 7th 2021 at 19:22
  • β†—

Strange goings on with port 37, (Thu, Jun 3rd)

Similar to Yee Ching's diary on Thursday, I noticed an oddity in the Dshield data last weekend (which I had hoped to discuss in a diary on Wednesday, but life got in the way)Β and thought it was worth asking around to see if anyone knows what is going on. As soon as I saw it, I reconfigured my honeypots to try to capture the traffic, but wasn't able to. I'm always very interested when I see some of the legacy ports and protocols pop up. In this case, %%port:37%% is the time protocol which operates on both TCP and UDP and is one of the many services that frequently ran on the low ports of Unix machines I administered back in the 1980s and 1990s. In recent years, most operating systems have disabled these services since they only seemed to be used for DDoS purposes. On Thursday, I took another look at the graph.
  • June 5th 2021 at 02:45
  • β†—

Russian Dolls VBS Obfuscation, (Fri, Jun 4th)

We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script calledΒ "presentation_37142.vbs" (SHA256:2def8f350b1e7fc9a45669bc5f2c6e0679e901aac233eac63550268034942d9f). I uploaded a copy of the file on MalwareBazaar[1].
  • June 4th 2021 at 05:01
  • β†—

DShield Data Analysis: Taking a Look at Port 45740 Activity, (Thu, Jun 3rd)

At the SANS Internet Storm Center (ISC), handlers frequently analyze data submitted from DShield participants to determine activity trends and potential attacks. A few days ago on May 31st, I observed a small anomaly for %%port:45740%% and decided to monitor it for the next 3 days or so. There was a huge spike in number of sources/day and reports/day recorded on May 31st as shown in Figure 1.
  • June 3rd 2021 at 07:00
  • β†—

Wireshark 3.4.6 (and 3.2.14) released, (Wed, Jun 2nd)

A new version of wireshark is out, a couple of bugfixes including a QUIC TLK decryption issue. Also, the Windows version now comes with npcap 1.31 (updated from 1.10).
  • June 2nd 2021 at 20:15
  • β†—

Quick and dirty Python: nmap, (Mon, May 31st)

Continuing on from theΒ "Quick and dirty Python: masscan"Β diary,Β which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443.Β  Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running.
  • May 31st 2021 at 19:20
  • β†—


Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th)

One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.
  • May 30th 2021 at 16:48
  • β†—

Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th)

New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released.
  • May 30th 2021 at 10:55
  • β†—

YARA Release v4.1.1, (Sun, May 30th)

YARA version 4.1.1 was released.
  • May 30th 2021 at 10:44
  • β†—

Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th)

In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible:
  • May 29th 2021 at 17:18
  • β†—

Malicious PowerShell Hosted on script.google.com, (Fri, May 28th)

Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this:
  • May 28th 2021 at 05:37
  • β†—

All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th)

Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. Many of these techniques continue to be used efectively in the wild by malicious actors as well as by red teams that emulate them. Probably none of these techniques (perhaps with the exception of simple XOR encryption) has been used so widely as Base64 encoding of malicious payloads.
  • May 27th 2021 at 09:28
  • β†—

A Survey of Bluetooth Vulnerabilities Trends, (Wed, May 26th)

As usage of fitness trackers, wireless headsets and smart home devices become increasingly popular in our daily lives, a growing reliance on the Bluetooth protocol is expected as it serves as the main medium of communication between devices. Amidst the COVID-19 pandemic, Bluetooth-enabled devices such as phones and hardware tokens were also used for contact-tracing purposes in countries such as Singapore [1]. Currently, the core specification of Bluetooth is 5.2 [2], and are generally divided into 2 categories – Bluetooth Low Energy (BLE) and Bluetooth Classic [3]. Given the increasing popularity and usage of Bluetooth, I started to wonder about the trend of Bluetooth related vulnerabilities.
  • May 26th 2021 at 00:51
  • β†—

VMware Security Advisory VMSA-2021-0010, (Tue, May 25th)

VMware has issued a critical security advisory VMSA-2021-0010 (CVSSv3 score ranging from 6.5-9.8). The products affected are VMware vCenter Server and VMware Cloud Foundation, and addresses CVE-2021-21985 and CVE-2021-21986 [1].
  • May 25th 2021 at 18:05
  • β†—

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit, (Tue, May 25th)

Today’s diary features a tip-off by one of our ISC diary readers Earl. Earl discovered some dodgy domains within the IP address block of 95.181.152.0/24 via the Hurricane Electric’s BGP Toolkit [1]. A look at the output of the IP address block of 95.181.152.0/24 showed a variety of domains that were related to popular sites such as Steam, Epic Games and Instagram, albeit with an assortment of misspelled URLs.
  • May 25th 2021 at 08:12
  • β†—

Apple May 2021 Security Updates, (Mon, May 24th)

Apple has released several updates for iPhones, iPads, Apple Watches, and Macs earlier today (May 24). Β More details are available on the Apple Security Updates website.Β 
  • May 24th 2021 at 20:20
  • β†—

Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd)

Brad posted another malware analysis with capture file of Cobalt Strike traffic.
  • May 23rd 2021 at 00:01
  • β†—

"Serverless" Phishing Campaign, (Sat, May 22nd)

The Internet is full of code snippetsΒ and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code.
  • May 22nd 2021 at 07:54
  • β†—

Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st)

[Edited: TheΒ techniqueΒ discussed in this diary is not mine andΒ has been used without proper citation of the original author]
  • May 22nd 2021 at 15:52
  • β†—

New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th)

You may have heard sayings like "If it is broken, it is probably a DNS problem. And if it isn't DNS, it is still a DNS problem". Or "Everything that happens on your network is reflected in DNS.". DNS is a great protocol, sometimes shamed for things it can't help itself with, and sometimes forgotten (if it works well). One of the amazing things I find about DNS is all its little nuances and how it all "fits together". I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. No fixed schedule on when they will be released (weekly?... if DNS doesn't prevent me to post them). No fixed end... not done yet considering topics and ideas.
  • May 20th 2021 at 23:16
  • β†—

And Ransomware Just Got a Bit Meaner (yes... it is possible), (Thu, May 20th)

Ransomware has been evolving, and each evolution appears to be a bit "meaner" than the first. Early ransomware targeted consumers. Encrypting baby pictures, or tax records, motivated users to pay in some cases a few hundred dollars to get their data back. The attacker went for easy targets and with that for easy money. But as most people dealing with consumers can attest to: Customer support is hard! Many consumers do not know how to use crypto currencies. Even the relatively straightforward Bitcoin payment can be too difficult. And forget about currencies like Monero that are often not traded on mainstream exchanges.
  • May 20th 2021 at 19:18
  • β†—

From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th)

I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function:
  • May 18th 2021 at 07:28
  • β†—

Ransomware Defenses, (Mon, May 17th)

Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to elevate the defense work from detecting IOCs to detecting TTPs (Tactics Techniques and Procedures).
  • May 17th 2021 at 00:20
  • β†—

"Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th)

Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as saidΒ Jan, there is another issue with such infrastructures: remote access tools. Today, buildings, factories, farms must be controlled remotely or sometimes managed by third parties. If Microsoft RDP is common on many networks (and is often the weakest link in a classic attack like ransomware), there is another protocol that is heavily used to remote control industrial systems: VNC ("Virtual Network Computing")[2]. This protocol works with many different operating systems (clients and servers), is simple and efficient. For many companies developing industrial systems,Β ItΒ is a good candidate to offer remote access.Β 
  • May 14th 2021 at 05:35
  • β†—

Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th)

With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.
  • May 12th 2021 at 11:13
  • β†—

Microsoft May 2021 Patch Tuesday, (Tue, May 11th)

This month we got patches for 55 vulnerabilities. Of these, 4 are critical, 3 were previously disclosed and none is being exploited according to Microsoft.
  • May 11th 2021 at 23:25
  • β†—

Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th)

Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.Β 
  • May 10th 2021 at 12:30
  • β†—

Who is Probing the Internet for Research Purposes?, (Sat, May 8th)

Shodan[1] is one of the most familiar site for research on what is on the internet. In Oct 2020 I did a diary on Censys [2][3], another site collecting similar information like Shodan. The next two sites are regularly scanning the internet for data which isn't shared with the security community at large.
  • May 9th 2021 at 15:32
  • β†—

Exposed Azure Storage Containers, (Fri, May 7th)

A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, "Exposed Blob Storage in Azure" and "Preventing Exposed Blob Storage in Azure". The information therein is still relevant and valid, so if you are using Azure Storage, and haven't read these two diaries yet, please do.
  • May 7th 2021 at 00:02
  • β†—
❌