FreshRSS

🔒
❌ About FreshRSS
☷
△ 🔃
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

ProxyShell - how many Exchange servers are affected and where are they?, (Mon, Aug 9th)

Since the bad guys have started to actively look[1] for machines affected by vulnerabilities that enable one to perform the ProxyShell attack (unauthenticated RCE on an on-premise Exchange server) and since Shodan now detects machines affected by these vulnerabilities as well, I thought it might be interesting to take a look at some of the current Shodan data.
  • August 9th 2021 at 10:25
  • ↗

MALWARE Bazaar "Download daily malware batches", (Sat, Aug 7th)

We have written about MALWARE Bazaar before: a place where you can download malware samples without account or subscription.
  • August 7th 2021 at 21:19
  • ↗

Malicious Microsoft Word Remains A Key Infection Vector, (Fri, Aug 6th)

Despite Microsoft's attempts to make its Office suite more secure and disable many automatic features, despite the fact that users are warned that suspicious documents should not be opened, malicious Word documents remain a key infection vector today. One of our readers (thanks Joel!) shared a sample that he received and, unfortunately, opened on his computer. The document was delivered to him via a spoofed email (sent by a known contact). The document ("legal paper.08.04.2021.doc") was delivered in a protected ZIP archive and has a VT score of 11/58[1]. This remains a very low score for a simple Word document. It deserved to have a look at the content.
  • August 6th 2021 at 08:03
  • ↗

Pivoting and Hunting for Shenanigans from a Reported Phishing Domain, (Wed, Aug 4th)

I was alerted to a web page masquerading as a local financial institution earlier in the day. The phishing web page was constructed well, looked extremely similar to the financial institution’s actual page and had input fields for victims to input their credentials. Fortunately, it was taken down quickly. However, I was unable to do further analysis on the perpetrator nor access the site to obtain data (for example, the phishing site allegedly restricted access only to mobile device browsers). Albeit a little disappointed, I analyzed the information that was sent to me and decided to pivot and hunt for a potential website that was involved in shenanigans.
  • August 4th 2021 at 00:32
  • ↗

Changing BAT Files On The Fly, (Mon, Aug 2nd)

I often use Windows BAT files, simple ones, to execute a series of commands. And over the years, I learned not to change these BAT files while they were executing, because cmd.exe would "notice" those changes when it has to execute the next command in the BAT file, and read the changed file, leading to undesired results.
  • August 2nd 2021 at 19:51
  • ↗

procdump Version 10.1, (Sun, Aug 1st)

A new version of procdump, the Sysinternals tool to create process dumps, was released.
  • August 1st 2021 at 09:22
  • ↗

Unsolicited DNS Queries, (Sat, Jul 31st)

This week I started seeing more DNS related activity being identified by Threatintel and that got me curious. While reviewing my logs, I noticed that Wednesday and Thursday had an unusual spike for many inbound unsolicited DNS queries for the domain census.gov.
  • July 31st 2021 at 12:38
  • ↗

Infected With a .reg File, (Fri, Jul 30th)

Yesterday, I reported a piece of malware that uses archive.org to fetch its next stage[1]. Today, I spotted another file that is also interesting: A Windows Registry file (with a ".reg" extension). Such files are text files created by exporting values from the Registry (export) but they can also be used to add or change values in the Registry (import). Being text files, they don't look suspicious.
  • July 30th 2021 at 12:32
  • ↗

Malicious Content Delivered Through archive.org, (Thu, Jul 29th)

archive.org[1], also known as the "way back machine" is a very popular Internet site that allows you to travel back in time and browse old versions of a website (like the ISC website[2]). It works like regular search engines and continuously crawls the internet via bots. But there is another way to store content on archive.org: You may create an account and upload some content by yourself.
  • July 29th 2021 at 07:18
  • ↗

A sextortion e-mail from...IT support?!, (Wed, Jul 28th)

E-mails claiming that their author has recorded the recipient through a webcam while they were "in flagrante delicto" enjoying a visit to some pornographic site, and will publish the recording unless the recipient pays them, have been with us for quite a while now. Over time, these messages haven’t changed much. It is no wonder – since the “hook” they use is fairly timeless and nearly universal in nature, the same messages can be effective for a long time without any substantial modifications.
  • July 28th 2021 at 06:34
  • ↗

Apple Patches for CVE-2021-30807, (Tue, Jul 27th)

Apple has released another update (previous update was only about 5 days ago) to address CVE-2021-30807 that was discovered by an anonymous researcher. This update resolves an issue with IOMobileFrameBuffer which could allow an application to execute arbitrary code with kernel privileges [1], [2]. This issue may have been actively exploited.
  • July 27th 2021 at 03:35
  • ↗

Failed Malspam: Recovering The Password, (Mon, Jul 26th)

Jan's diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it's an opportunity for me to do some password cracking :-) I asked Jan for the sample.
  • July 26th 2021 at 17:07
  • ↗

Wireshark 3.4.7 Released, (Sun, Jul 25th)

Wireshark version 3.4.7 was released.
  • July 25th 2021 at 10:55
  • ↗

Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability, (Sat, Jul 24th)

Phew, this was a really bad week for Microsoft (and a lot of reading for all of us). And just when we thought that the fiasco with the SAM hive was over, a new vulnerability popped up, which is much, much more dangerous unfortunately – it allows a user to completely take over a Windows domain that has the ADCS service running. And those are probably running in majority of enterprises.
  • July 24th 2021 at 21:42
  • ↗

Agent.Tesla Dropped via a .daa Image and Talking to Telegram, (Sat, Jul 24th)

A few days ago, I found an interesting file delivered by email (why change a winning combination?). The file has a nice extension: “.daa” (Direct Access Archive). We already reported such files in 2019 and Didier wrote a diary[1] about them. Default Windows installation, can’t process “.daa” files, you need a specific tool to open them (like PowerISO). I converted the archive into an ISO file and extracted the PE file inside it.
  • July 24th 2021 at 06:47
  • ↗

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II), (Fri, Jul 23rd)

Today’s diary revisits hunting for dodgy domains via Hurricane Electric's BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them.
  • July 23rd 2021 at 12:52
  • ↗

Lost in the Cloud: Akamai DNS Outage, (Thu, Jul 22nd)

As we already got a number of notes from readers: Currently, Akamai's DNS service appears to experience an outage that affects numerous other large websites. 
  • July 22nd 2021 at 16:52
  • ↗

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934, (Wed, Jul 21st)

[UPDATE] Microsoft updated its article late yesterday (Wed July 21st). It now includes a list of vulnerable systems. Most notably, Windows Server, version 20H2 (Server Core Installation) and Windows Server, version 2004 (Server Core installation), Window Server 2019 (Server Core Installation, and "not Core). are affected. Earlier notes did not include any server operating systems.
  • July 22nd 2021 at 13:01
  • ↗

Summer of SAM - incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th)

If you opened Twitter today you were probably flooded with news about the latest security issue with Windows. For those that have ISC as their home page (yay!) the issue is the following: apparently starting with Windows 10 1809 (hey, that’s a version from 2018) Microsoft messed up permissions on the SAM and SYSTEM hives which became readable for any user on the system.
  • July 20th 2021 at 11:35
  • ↗

New Windows Print Spooler Vulnerability - CVE-2021-34481, (Mon, Jul 19th)

A new, unpatched, vulnerability has been discovered in the Windows Print Spooler and is being tracked under CVE-2021-34481.  Discovered by Jacob Baines at Dragos, this one requires local access, so it is less of a nightmare than PrintNightmare, but unfortunately the result of exploitation is SYSTEM level privileges.
  • July 19th 2021 at 14:26
  • ↗

Video: CyberChef BASE85 Decoding, (Sun, Jul 18th)

In this video, I show how to decode the sample of Xavier's diary entry "Multiple BaseXX Obfuscations" with CyberChef.
  • July 18th 2021 at 09:49
  • ↗

BASE85 Decoding With base64dump.py, (Sat, Jul 17th)

Xavier's diary entry "Multiple BaseXX Obfuscations" covers a malicious script that is encoded with different "base" encodings. Xavier starts with my tool base64dump.py, but he can not do the full decoding with base64dump, as it does not support BASE85.
  • July 17th 2021 at 07:17
  • ↗

Multiple BaseXX Obfuscations, (Fri, Jul 16th)

I found an interesting malicious Python script during my daily hunting routine. The script has a VT score of 2/58[1] (SHA256: 6990298edd0d66850578bfd1e1b9d42abfe7a8d1deb828ef0c7017281ee7c5b7). Its purpose is to perform the first stage of the infection. It downloads a shellcode, injects it into memory, and executes it. What’s interesting is the way obfuscation is implemented.
  • July 16th 2021 at 07:14
  • ↗

USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th)

Phishing... at least they don't understand security any better than most kids. The latest example is a simple USPS phish. The lure is an email claiming that a package can not be delivered until I care to update my address. Urgency... and obvious action. They learned something in their phishing 101 class.
  • July 15th 2021 at 01:29
  • ↗

One way to fail at malspam - give recipients the wrong password for an encrypted attachment , (Wed, Jul 14th)

It is not unusual for malspam authors to encrypt the malicious files that they attach to messages they send out. Whether they encrypt the malicious file itself (as in the case of a password-protected Office document) or embed it in an encrypted archive, encryption can sometimes help attackers to get their creations past e-mail security scans.
  • July 14th 2021 at 11:06
  • ↗

Microsoft July 2021 Patch Tuesday, (Tue, Jul 13th)

This month we got patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited according to Microsoft.
  • July 13th 2021 at 19:03
  • ↗

Scanning for Microsoft Secure Socket Tunneling Protocol, (Sat, Jul 10th)

Over the past month I noticed a resurgence of probe by Digitalocean looking for the Microsoft (MS) Secure Socket Tunneling Protocol (SSTP). This MS proprietary VPN protocol is used to establish a secure connection via the Transport Layer Security (TLS) between a client and a VPN gateway. Additional information on this protocol available here.
  • July 10th 2021 at 21:56
  • ↗

Using Sudo with Python For More Security Controls, (Thu, Jul 8th)

I'm a big fan of the Sudo[1] command. This tool, available on every UNIX flavor, allows system administrators to provide access to certain users/groups to certain commands as root or another user. This is performed with a lot of granularity in the access rights and logging/reporting features. I'm using it for many years and I'm still learning great stuff about it. Yesterday, at the Pass-The-Salt[2] conference, Peter Czanik presented a great feature of Sudo (available since version 1.9): the ability to extend features using Python modules! There are several scenarios where Python can be used: 
  • July 8th 2021 at 11:09
  • ↗

Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)

Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "printnightmare." Patches are now available for all affected versions of Windows (as long as they are still supported). Applying the update will also patch the older CVE-2021-1675 vulnerability.
  • July 7th 2021 at 11:15
  • ↗

Python DLL Injection Check, (Tue, Jul 6th)

They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code that, combined with API hooking, implements security checks. If DLLs are injected into processes, they can be detected and it's a common anti-debugging or evasion technique implemented by many malware samples. If you're interested in such techniques, they are covered in the FOR610[1] training. The detection relies on a specific API call GetModuleFileName()[2]. The function expects the following parameters: A handle (pointer) to a process and the name of the DLL to check. Malware samples list all running processes, get a handle on them, and search for interesting DLL names. To get the handle, the OpenProcess()[3] API call must use the following access flag (0x0410 - PROCESS_VM_READ|PROCESS_QUERY_INFORMATION).
  • July 6th 2021 at 11:19
  • ↗

DIY CD/DVD Destruction - Follow Up, (Sun, Jul 4th)

Thanks a lot to all of you who posted a comment on my diary entry "DIY CD/DVD Destruction". They inspired me to try out some other methods.
  • July 4th 2021 at 18:22
  • ↗
❌