FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Scanning Activity for NVMS-9000 Digital Video Recorder, (Sun, Oct 20th)

October 20th 2019 at 23:35
Since the beginning of October, my honeypot has been capturing numerous scans for DVR model NVMS-9000 which a PoC was released last year describing a "Stack Overflow in Base64 Authorization"[1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

What Assumptions Are You Making?, (Sat, Oct 19th)

October 19th 2019 at 13:10
If my security agents were not working correctly, then I would get an alert. Since no one said there is a problem with my security agents, then everything must be ok with them. These are just a couple of the assumptions that we make as cybersecurity practitioners each day about the security agents that serve to protect our respective organizations. While it is preferable to think that everything is ok, it is much better to validate that assumption regularly.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick Malicious VBS Analysis, (Fri, Oct 18th)

October 18th 2019 at 06:25
Let’s have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This techniqueΒ is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. The link was:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)

October 17th 2019 at 09:54
On Monday, I found what looked like a run-of-the-mill phishing e-mail in my malware quarantine. The "hook" it used was quite a common one – it was a fake DHL delivery notification inserted as an image into the body of the e-mail in an attempt to make user open its attachments.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)

October 16th 2019 at 22:43
This post is continuing a series I started in April about network traffic from Windows 10. When dealing with network traffic, it is always good to know what is normal. As part of this series, I will investigate the first few minutes of network traffic from current operating systems. With macOS 10.15 Catalina just being released, I figured this might be an excellent next operating system to investigate.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)

October 16th 2019 at 09:39
Today, to reach a decent security maturity, the keyword remains "visibility". There is nothing more frustrating than being blind about what's happening on a network or starting an investigation without any data (logs, events) to process. The question is: how to efficiently keep an eye on what's happening on your network? There are three key locations to collect data:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA's XOR Modifier, (Mon, Oct 14th)

October 14th 2019 at 18:21
YARA searches for strings inside files. Strings to search for are defined with YARA rules.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA v3.11.0 released, (Sat, Oct 12th)

October 12th 2019 at 21:16
A new version of YARA was released: v3.11.0.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Mining Live Networks for OUI Data Oddness, (Thu, Oct 10th)

October 10th 2019 at 12:40
My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI.Β  (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft October 2019 Patch Tuesday, (Tue, Oct 8th)

October 8th 2019 at 17:58
This month we got patches for 59 vulnerabilities total.Β None of them have been previously disclosed nor are being exploited according to Microsoft.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

visNetwork for Network Data, (Sun, Oct 6th)

October 6th 2019 at 00:55
DFIR Redefined Part 3 - Deeper Functionality for Investigators with R series continued
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Buffer overflows found in libpcap and tcpdump, (Thu, Oct 3rd)

October 4th 2019 at 05:27
It is always a bit worrisome when vulnerabilities are found in our favorite tools, but our tools are software like any other software and can have bugs, too. One of the feeds I have in my RSS reader is NIST National Vulnerability Database (NVD) feed. Earlier today, I noticed a bunch of CVEs show up there for libpcap and tcpdump. I hadn't noticed any major announcements of new versions or any automatic updates of those tools on any of my linux boxes, so I decided to head straight to the source, www.tcpdump.org. It turns out, there were new versions of both libpcap (new version is 1.9.1) and tcpdump (version 4.9.3) released on Monday. And, there under latest releases, it notes that this release "addresses a large number of vulnerabilities." It should also be noted, this is the first release in over 2 years. Quite of few of the vulnerabilities have CVEs dating from 2018. In all, this update addresses 33 CVEs. Hopefully, the major linux distros will roll out updates over the next few days or weeks. I haven't seen any indication that folks have tried to craft traffic to exploit any of these vulnerabilities, but that is always a concern when a tool like tcpdump or wireshark or the like has buffer overflows in their protocol parsers/decoders/dissectors. So, if you use tcpdump and/or any libpcap-based tools in your toolbox for network monitoring or network forensics, be on the lookout for updates from your linux distro or tool vendor or just go ahead and build your own copy from source.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

"Lost_Files" Ransomware, (Thu, Oct 3rd)

October 3rd 2019 at 06:06
Are good old malware still used by attackers today? Probably not running the original code but malware developers are… developers!Β They don’t reinvent the wheel and re-use code published here and there. I spotted aΒ ransomware which looked like an old one.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A recent example of Emotet malspam, (Wed, Oct 2nd)

October 2nd 2019 at 02:37
Shown below is an example of malicious spam (malspam) pushing Emotet malware.Β  It has an attached Word document with macros designed to install Emotet on a vulnerable Windows host.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A Quick Look at Some Current Comment Spam, (Tue, Oct 1st)

October 1st 2019 at 17:25
As pretty much everybody else allowing comments, our site is getting its fair share of spam. Over the years, we implemented a number of countermeasures, so it is always interesting to see what makes it past these countermeasures. There are a number of recurring themes when it comes to spam:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Maldoc, PowerShell & BITS, (Mon, Sep 30th)

September 30th 2019 at 18:36
The sample we analyze today is a malicious Office document, using PowerShell to download its payload via BITS.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Encrypted Maldoc, Wrong Password, (Sun, Sep 29th)

September 29th 2019 at 21:52
Reader Chad submitted a malicious Office document, delivered as an email attachment. The maldoc was encrypted, and the password was mentioned in the email: PETROFAC.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New Scans for Polycom Autoconfiguration Files, (Fri, Sep 27th)

September 27th 2019 at 07:13
One of my honeypots detected aΒ nice scanΒ yesterday. A bot was looking for Polycom master provisioning files. SuchΒ files areΒ called by default '000000000000.cfg’ and containΒ interesting information to perform provisioning ofΒ VoIP phones. Normally, this file is renamed with the MAC address of the phone (ex: a1b2c3d4e5f6.cfg) but the name can be left intact and, if the phone can’t find his own MAC address-basedΒ configuration, it will pull the default file.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Vulnerability on specific Cisco Industrial / Grid router models, (Thu, Sep 26th)

September 26th 2019 at 17:07
Our reader Marc reports a vulnerability posted by Cisco yesterday: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Mining MAC Address and OUI Information, (Thu, Sep 26th)

September 26th 2019 at 16:29
So often when we're working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs, (Tue, Sep 24th)

September 24th 2019 at 07:45
I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers,Β sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain 'remotewebaccess.com'. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA XOR Strings: an Update, (Sun, Sep 22nd)

September 23rd 2019 at 06:31
Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Video: Encrypted Sextortion PDFs, (Sun, Sep 22nd)

September 22nd 2019 at 18:14
In this video, I show how to use my PDF tools together with QPDF and Poppler to deal with encrypted PDFs, like the sextortion PDFs that were submitted recently.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Blacklisting or Whitelisting in the Right Way, (Thu, Sep 19th)

September 20th 2019 at 07:41
It's Friday today, I'd like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Agent Tesla Trojan Abusing Corporate Email Accounts, (Thu, Sep 19th)

September 19th 2019 at 06:47
The trojan 'Agent Tesla'Β is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1].
❌