FreshRSS

πŸ”’
❌ About FreshRSS
☷
β–½ πŸ”ƒ
There are new available articles, click to refresh the page.
Before yesterdaySANS Internet Storm Center, InfoCON: green

Agent Tesla Trojan Abusing Corporate Email Accounts, (Thu, Sep 19th)

The trojan 'Agent Tesla'Β is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
  • September 19th 2019 at 06:47
  • β†—

Blacklisting or Whitelisting in the Right Way, (Thu, Sep 19th)

It's Friday today, I'd like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:
  • September 20th 2019 at 07:41
  • β†—

Video: Encrypted Sextortion PDFs, (Sun, Sep 22nd)

In this video, I show how to use my PDF tools together with QPDF and Poppler to deal with encrypted PDFs, like the sextortion PDFs that were submitted recently.
  • September 22nd 2019 at 18:14
  • β†—

YARA XOR Strings: an Update, (Sun, Sep 22nd)

Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
  • September 23rd 2019 at 06:31
  • β†—

Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs, (Tue, Sep 24th)

I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers,Β sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain 'remotewebaccess.com'. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:
  • September 24th 2019 at 07:45
  • β†—

Mining MAC Address and OUI Information, (Thu, Sep 26th)

So often when we're working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
  • September 26th 2019 at 16:29
  • β†—

Vulnerability on specific Cisco Industrial / Grid router models, (Thu, Sep 26th)

Our reader Marc reports a vulnerability posted by Cisco yesterday: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
  • September 26th 2019 at 17:07
  • β†—

New Scans for Polycom Autoconfiguration Files, (Fri, Sep 27th)

One of my honeypots detected aΒ nice scanΒ yesterday. A bot was looking for Polycom master provisioning files. SuchΒ files areΒ called by default '000000000000.cfg’ and containΒ interesting information to perform provisioning ofΒ VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-basedΒ configuration, it will pull the default file.
  • September 27th 2019 at 07:13
  • β†—

Encrypted Maldoc, Wrong Password, (Sun, Sep 29th)

Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.
  • September 29th 2019 at 21:52
  • β†—


Maldoc, PowerShell & BITS, (Mon, Sep 30th)

The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.
  • September 30th 2019 at 18:36
  • β†—

A Quick Look at Some Current Comment Spam, (Tue, Oct 1st)

As pretty much everybody else allowing comments, our site is getting its fair share of spam. Over the years, we implemented a number of countermeasures, so it is always interesting to see what makes it past these countermeasures. There are a number of recurring themes when it comes to spam:
  • October 1st 2019 at 17:25
  • β†—

A recent example of Emotet malspam, (Wed, Oct 2nd)

Shown below is an example of malicious spam (malspam) pushing Emotet malware.Β  It has an attached Word document with macros designed to install Emotet on a vulnerable Windows host.
  • October 2nd 2019 at 02:37
  • β†—

"Lost_Files" Ransomware, (Thu, Oct 3rd)

Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers!Β They don’t reinvent the wheel and re-use code published here and there. I spotted aΒ ransomware which looked like an old one.
  • October 3rd 2019 at 06:06
  • β†—

Buffer overflows found in libpcap and tcpdump, (Thu, Oct 3rd)

It is always a bit worrisome when vulnerabilities are found in our favorite tools, but our tools are software like any other software and can have bugs, too. One of the feeds I have in my RSS reader is NIST National Vulnerability Database (NVD) feed. Earlier today, I noticed a bunch of CVEs show up there for libpcap and tcpdump. I hadn't noticed any major announcements of new versions or any automatic updates of those tools on any of my linux boxes, so I decided to head straight to the source, www.tcpdump.org. It turns out, there were new versions of both libpcap (new version is 1.9.1) and tcpdump (version 4.9.3) released on Monday. And, there under latest releases, it notes that this release "addresses a large number of vulnerabilities." It should also be noted, this is the first release in over 2 years. Quite of few of the vulnerabilities have CVEs dating from 2018. In all, this update addresses 33 CVEs. Hopefully, the major linux distros will roll out updates over the next few days or weeks. I haven't seen any indication that folks have tried to craft traffic to exploit any of these vulnerabilities, but that is always a concern when a tool like tcpdump or wireshark or the like has buffer overflows in their protocol parsers/decoders/dissectors. So, if you use tcpdump and/or any libpcap-based tools in your toolbox for network monitoring or network forensics, be on the lookout for updates from your linux distro or tool vendor or just go ahead and build your own copy from source.
  • October 4th 2019 at 05:27
  • β†—

visNetwork for Network Data, (Sun, Oct 6th)

DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued
  • October 6th 2019 at 00:55
  • β†—

Microsoft October 2019 Patch Tuesday, (Tue, Oct 8th)

This month we got patches for 59 vulnerabilities total.Β None of them have been previously disclosed nor are being exploited according to Microsoft.Β 
  • October 8th 2019 at 17:58
  • β†—

Mining Live Networks for OUI Data Oddness, (Thu, Oct 10th)

My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI.Β  (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
  • October 10th 2019 at 12:40
  • β†—

YARA v3.11.0 released, (Sat, Oct 12th)

A new version of YARA was released: v3.11.0.
  • October 12th 2019 at 21:16
  • β†—

YARA's XOR Modifier, (Mon, Oct 14th)

YARA searches for strings inside files. Strings to search for are defined with YARA rules.
  • October 14th 2019 at 18:21
  • β†—

Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)

Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:
  • October 16th 2019 at 09:39
  • β†—

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)

This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.
  • October 16th 2019 at 22:43
  • β†—

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.
  • October 17th 2019 at 09:54
  • β†—

Quick Malicious VBS Analysis, (Fri, Oct 18th)

Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This techniqueΒ is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. The link was:
  • October 18th 2019 at 06:25
  • β†—

What Assumptions Are You Making?, (Sat, Oct 19th)

If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. While it is preferable to think that everything is ok, it is much better to validate that assumption regularly.Β 
  • October 19th 2019 at 13:10
  • β†—

Scanning Activity for NVMS-9000 Digital Video Recorder, (Sun, Oct 20th)

Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a "Stack Overflow in Base64 Authorization"[1].
  • October 20th 2019 at 23:35
  • β†—

What's up with TCP 853 (DNS over TLS)?, (Mon, Oct 21st)

I was looking at some of our data lat last week and noticed an increase probes on tcp %%port:853%%. For those of you who aren't aware, tcp port 853 is assigned to DNS over TLS as defined in RFC 7858. DNS over TLS (or DoT) was defined in 2016 as a way of hiding the contents of DNS requests from prying eyes on the network since DNS normally occurs in the clear over %%port:53%%. Of course, over the last few months all of the discussion has actually been about an alternative to DoT, DNS over HTTPS (or DoH) defined in RFC 8484, since the major web browser vendors (Google and Mozilla) have announced that they are or will be supporting DoH within the browser in the near future. For the moment, I'll stay out of the debate about the merits of DoT vs. DoH. But, back to this story, since I noticed the increase onΒ port 853, let's discuss DoT.Β Because DoT requires setting up a TLS connection, it was defined as a TCP protocol (where DNS was primarily UDP).Β There was a subsequent RFC 8094 which defined DNS over DTLS which moved this back to UDP, but obviously required more traffic to set up the initual TLS encryption, though once established could then potentially be pretty efficient. I had actually setup DoT on my home (bind9) DNS server just a few weeks ago using stunnel as described in the docs from isc.org, to do some testing, so seeing this increase got my attention (though I hadn't actually opened 853 to the internet, just to my internal network). I haven't setup a netcat listener or honeypot to capture the traffic, but you can see that while there were a couple of brief spikes in the number of targets late last year and then a ramping up starting around the beginning of September, the big jump including new scanners has just ramped up since the beginning of Oct. This first graph is 365 days.
  • October 21st 2019 at 18:20
  • β†—

Testing TLSv1.3 and supported ciphers, (Tue, Oct 22nd)

Few months ago I posted a series (well, actually 2) diaries about testing SSL/TLS configuration – if you missed them, the diaries are available here and here.
  • October 22nd 2019 at 19:36
  • β†—

Your Supply Chain Doesn't End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th)

Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price.
  • October 24th 2019 at 05:53
  • β†—

More on DNS Archeology (with PowerShell), (Fri, Oct 25th)

I while back I posted a "part 1" story on DNS and DHCP recon ( https://isc.sans.edu/diary/DNS+and+DHCP+Recon+using+Powershell/20995 ) and recent events have given me some more to share on the topic.
  • October 25th 2019 at 15:13
  • β†—
❌