FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Multiple BaseXX Obfuscations, (Fri, Jul 16th)

I found an interesting malicious Python script during my daily hunting routine. The script has a VT score of 2/58[1] (SHA256: 6990298edd0d66850578bfd1e1b9d42abfe7a8d1deb828ef0c7017281ee7c5b7). Its purpose is to perform the first stage of the infection. It downloads a shellcode, injects it into memory, and executes it. What’s interesting is the way obfuscation is implemented.
  • July 16th 2021 at 07:14
  • ↗

USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th)

Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class.
  • July 15th 2021 at 01:29
  • ↗

One way to fail at malspam - give recipients the wrong password for an encrypted attachment , (Wed, Jul 14th)

It is not unusual for malspam authors to encrypt the malicious files that they attach to messages they send out. Whether they encrypt the malicious file itself (as in the case of a password-protected Office document) or embed it in an encrypted archive, encryption can sometimes help attackers to get their creations past e-mail security scans.
  • July 14th 2021 at 11:06
  • ↗

Microsoft July 2021 Patch Tuesday, (Tue, Jul 13th)

This month we got patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited according to Microsoft.
  • July 13th 2021 at 19:03
  • ↗

Scanning for Microsoft Secure Socket Tunneling Protocol, (Sat, Jul 10th)

Over the past month I noticed a resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway. Additional information on this protocol available here.
  • July 10th 2021 at 21:56
  • ↗

Using Sudo with Python For More Security Controls, (Thu, Jul 8th)

I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! There are several scenarios where Python can be used: 
  • July 8th 2021 at 11:09
  • ↗

Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)

Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "printnightmare." Patches are now available for all affected versions of Windows (as long as they are still supported). Applying the update will also patch the older CVE-2021-1675 vulnerability.
  • July 7th 2021 at 11:15
  • ↗

Python DLL Injection Check, (Tue, Jul 6th)

They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it's a common anti-debugging or evasion technique implemented by many malware samples. If you're interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 - PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
  • July 6th 2021 at 11:19
  • ↗

DIY CD/DVD Destruction - Follow Up, (Sun, Jul 4th)

Thanks a lot to all of you who posted a comment on my diary entry "DIY CD/DVD Destruction". They inspired me to try out some other methods.
  • July 4th 2021 at 18:22
  • ↗

Finding Strings With oledump.py, (Sat, Jul 3rd)

In diary entry "CFBF Files Strings Analysis" I show how to extract strings from CFBF/ole files with my tool oledump.py.
  • July 3rd 2021 at 19:33
  • ↗

Kaseya VSA Users Hit by Ransomware, (Fri, Jul 2nd)

We are aware that some MSSP's customers (Managed Security Services Providers) have been hit by a ransomware. It seems that four(4) MSSP's have been affected until now. The ransomware was spread through the remote management solution "VSA"  provided by Kaseya[1]. This looks to be a brand new type of supply chain attack.
  • July 2nd 2021 at 20:18
  • ↗

"inception.py"... Multiple Base64 Encodings, (Fri, Jul 2nd)

"Inception" is a very nice SF movie in which, if you did not watch it, dreams are implemented in people's minds to help to get access to sensitive information from their memory. Then, a dream is implemented into another dream, etc... up to five levels[1]! If you are not paying attention to the movie, you can be quickly lost. 
  • July 2nd 2021 at 05:33
  • ↗

Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th)

I was recently forwarded another phishing e-mail to examine. This time, it was an e-mail that claimed to be from Google. The e-mail included a pdf file, and instructed the recipient download the file for further information. Figure 1 below shows the headers, while Figure 2 shows the content of the e-mail message.
  • June 30th 2021 at 02:06
  • ↗

CFBF Files Strings Analysis, (Mon, Jun 28th)

The Office file format that predates the OOXML format, is a binary format based on the CFBF format. I informally call this the ole file format.
  • June 28th 2021 at 17:10
  • ↗

DIY CD/DVD Destruction, (Sun, Jun 27th)

I have some personal CDs & DVDs to dispose of. And I don't want them to reamain (easily) readable.
  • June 27th 2021 at 19:14
  • ↗

CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th)

This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account.
  • June 26th 2021 at 10:13
  • ↗

Is this traffic bAD?, (Fri, Jun 25th)

It seems like every time I take a handler shift lately, I'm talking about an uptick of traffic on another port and I'm not breaking that trend today. This really takes me back to the early days of the Internet Storm Center when that seemed to be the main thing we talked about. This time, the port that gotmy attention is UDP port 389. This is the normal port for the Lightweight Directory Access Protocol (LDAP) which is used a great deal by Microsoft Active Directory (AD). 
  • June 25th 2021 at 00:45
  • ↗

Do you Like Cookies? Some are for sale!, (Thu, Jun 24th)

Cookies… These small pieces of information are always with us. Since the GDPR was kicked off in Europe, we are flooded by pop-ups asking if we accept “cookies”. Honestly, most people don’t take time to read the warning and just accept the default settings.
  • June 24th 2021 at 05:33
  • ↗

Standing With Security Researchers Against Misuse of the DMCA, (Wed, Jun 23rd)

As Dean of Research for our graduate school (sans.edu), I often assist students in developing their research ideas. The research conducted by our students is valuable and important to defend our networks against highly organized and well-funded threat actors. Any restriction on our student's ability to conduct their research, and sharing their results freely, only adds additional unnecessary burdens on us as network defenders. With that, I am happy that I was able to co-sign the attached statement by the Electronic Frontier Foundation (EFF) on behalf of the SANS Technology Institute. Legal threats against good faith security researchers only discourage the open exchange of ideas. If we hope to have a chance to defend, we will have to keep exchanging these ideas, learn and we need to continue to be curious hackers exploring the technologies that are the foundation of our everyday living.
  • June 23rd 2021 at 15:56
  • ↗

Phishing asking recipients not to report abuse, (Tue, Jun 22nd)

It can be a little disheartening to deal with well-prepared phishing attacks every day, since one can easily see how even users who are fully “security-aware” could fall for some them. The messages don’t even have to be too complex to be believable. For example, a message containing seemingly innocuous text and a link that points to legitimate, well-known domain hosting an application that is affected by open redirect vulnerability (I’m looking at you, Google[1], though – to be fair – you’re hardly alone[2]) can look quite trustworthy, if no obvious red flags are present.
  • June 22nd 2021 at 13:15
  • ↗

Mitre CWE - Common Weakness Enumeration, (Mon, Jun 21st)

If you are involved in the security industry  you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesser known Mitre project, Common Weakness Enumeration (CWE).
  • June 21st 2021 at 19:10
  • ↗

Video: oledump Cheat Sheet, (Sun, Jun 20th)

I did create a SANS cheat sheet for oledump.py.
  • June 20th 2021 at 14:59
  • ↗

Easy Access to the NIST RDS Database, (Sat, Jun 19th)

When you're facing some suspicious files while performing forensic investigations or analyzing malware components, it's always interesting to know these files are legit or malicious/modified. One of the key sources to verify hashes is provided by NIST and is called the NSLR project ("National Software Reference Library")[1]. They build "Reference Data Set" (RDS) of information that can be queried to verify a file hash. These RDS are available to download[2] but, as you may expect, there are huge (they are provided as ISO files between 500MB to 4GB!)
  • June 19th 2021 at 10:27
  • ↗

Open redirects ... and why Phishers love them, (Fri, Jun 18th)

Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?  Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.
  • June 18th 2021 at 13:03
  • ↗


Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th)

In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights".
  • June 18th 2021 at 00:28
  • ↗


 Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)

The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before (Forensicating Azure VMs) how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.
  • June 17th 2021 at 14:40
  • ↗

Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th)

Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities [1], and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls [2]. Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent Sonicwall vulnerability:
  • June 15th 2021 at 10:16
  • ↗

Update: mac-robber.py, (Sun, Jun 13th)

Almost 4 years ago, I wrote a python version of mac-robber. I use it fairly regularly at $dayjob. This past week, one of my co-workers was using it, but realized that it hashes large files a little too slowly. He decided to use mac-robber.py to collect the MAC times and do the hashing separately so he could limit the hashes to to files under a certain size. That sounded reasonable, so I've added a switch (-s or --size). If hashing is turned on the new switch will limit the hashing to files under the given size.
  • June 13th 2021 at 01:34
  • ↗

Fortinet Targeted for Unpatched SSL VPN Discovery Activity, (Sat, Jun 12th)

Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products [1][2]. Two weeks ago, US-CERT [4] released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks. Additional information to look for signs of this activity available here.
  • June 12th 2021 at 17:32
  • ↗

Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th)

Devices and applications used to provide remote access are juicy targets. I've already been involved in many ransomware cases and most of the time, the open door was an unpatched VPN device/remote access solution or weak credentials. A good example, the recent attack against the Colonial Pipeline that started with a legacy VPN profile[1].
  • June 11th 2021 at 13:55
  • ↗

Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th)

With Python getting more and more popular, especially on Microsoft Operating systems, it's common to find malicious Python scripts today. I already covered some of them in previous diaries[1][2]. I like this language because it is very powerful: You can automate boring tasks in a few lines. It can be used for offensive as well as defensive purposes, and... it has a lot of 3rd party "modules" or libraries that extend its capabilities. For example, if you would like to use Python for forensics purposes, you can easily access the registry and extract data:
  • June 11th 2021 at 05:31
  • ↗
❌