FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)

January 21st 2020 at 06:13
Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits Update, (Mon, Jan 20th)

January 20th 2020 at 04:21
In today's diary, I am summarizing the current state of attacks exploiting the Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)

January 16th 2020 at 21:55
Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the “BlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Picks of 2019 malware - the large, the small and the one full of null bytes, (Thu, Jan 16th)

January 16th 2020 at 06:57
Although less than two days have gone by since the latest release of MSFT patches, I find that it would actually be hard to add anything interesting to them that hasn’t been discussed before, as the most important vulnerabilities (couple of RCEs and an interesting vulnerability in CryptoAPI) seemed to be all anyone talked about for the last 24 hours. If you didn’t hear anything about it, I suggest you take a look at the ISC coverage of the CryptoAPI vulnerability[1] as well as the Patch Tuesday overview[2]. But for the rest of us, I thought today might be a good day to take a short break from this topic and take a look at what the last year brought us instead.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

CVE-2020-0601 Followup, (Wed, Jan 15th)

January 16th 2020 at 02:52
Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft Patch Tuesday for January 2020, (Tue, Jan 14th)

January 14th 2020 at 21:22
[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits: Overview of Observed Payloads, (Mon, Jan 13th)

January 13th 2020 at 10:34
If you missed Johannes' diary entry "Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor" this Saturday, make sure to read it first.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th)

January 12th 2020 at 23:51
In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)

January 11th 2020 at 20:52
IMPORTANT UPDATE: CITRIX announced that a patch will be released on January 20th for Citrix ADC 11/12 and 13. Version 10 will have to wait until January 31st.  (https://support.citrix.com/article/CTX267027)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

More Data Exfiltration, (Fri, Jan 10th)

January 10th 2020 at 06:38
Yesterday,  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called ‘Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

January 9th 2020 at 12:15
Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Windows 7 - End of Life, (Thu, Jan 9th)

January 9th 2020 at 02:41
A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1] 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)

January 7th 2020 at 13:16
For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. But other sources I consider credible have indicated that they were able to create a code execution exploit.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SNMP service: still opened to the public and still queried by attackers, (Mon, Jan 6th)

January 6th 2020 at 21:05
Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)

January 6th 2020 at 05:05
Justin C alerted me in our Slack channel that GreyNoise, a commercial system similar to DShield, noted a large increase in the number of sources scanning. We do have these "Spikes" from time to time and had one for the last two days. Artifacts are usually not lasting that long, and we also did not have a notable change in the number of submitters. So I took a quick look at the data, and here is what I found:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)

January 5th 2020 at 12:48
Over the holidays, I wanted to look into a packet capture file I created on Windows with a "netsh trace" command. Such an .etl file created with a "netsh trace" command can not be opened with Wireshark, you have to use Microsoft Message Analyzer.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

KringleCon 2019, (Sat, Jan 4th)

January 4th 2020 at 17:26
The SANS Holiday Hack Challenge is an annual, free CTF.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

CCPA - Quick Overview, (Fri, Jan 3rd)

January 3rd 2020 at 05:04
It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Ransomware in Node.js, (Thu, Jan 2nd)

January 2nd 2020 at 08:09
Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

"Nim httpclient/1.0.4", (Wed, Jan 1st)

January 1st 2020 at 18:12
"Nim httpclient/1.0.4" is the default User Agent string of the httpClient module of the Nim programming language (stable release).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Some Thoughts About the Critical Citrix ADC/Gateway Vulnerability (CVE-2019-19781), (Tue, Dec 31st)

December 31st 2019 at 18:52
[a recording of our special webcast will be available soon.  [Download PPT Files]]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Miscellaneous Updates to our "Threatfeed" API, (Mon, Dec 30th)

December 30th 2019 at 01:22
Much of the data offered by us is available via our API [1]. A popular feature of our API is our "threat feeds." We use them to distribute lists of IP addresses and hostnames that you may want to block. In particular, our feeds of mining pool IPs and hosts used by Shodan are popular. This weekend, I added a feed for Onyphe [2]. Onyphe is comparable to Shodan, and I do see a lot of scans from them lately, which is why I added the feed. While I was messing with the API, I also added the ability to retrieve hostnames in addition to IP addresses.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

ELK Dashboard for Pihole Logs, (Sun, Dec 29th)

December 29th 2019 at 19:48
In my last Pihole Diary, I shared a Pihole parser to collect its logs and stored them into Elastic. In this diary, I'm sharing a dashboard to visualize the Pihole DNS data. Here are some of the output from the dashboard.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Corrupt Office Documents, (Sat, Dec 28th)

December 28th 2019 at 17:38
My tool to analyze CFBF files, oledump.py, is not only used to analyze malicious Office documents.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Enumerating office365 users, (Fri, Dec 27th)

December 27th 2019 at 19:19
I found a pretty strange request in a University Firewall being sent over and over:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

December 26th 2019 at 07:53
First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Merry christmas!, (Wed, Dec 25th)

December 25th 2019 at 22:18
We wish you and your families a merry christmas!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th)

December 25th 2019 at 22:15
The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

New oledump.py plugin: plugin_version_vba, (Mon, Dec 23rd)

December 23rd 2019 at 17:43
In diary entry "VBA Office Document: Which Version?", I explain how to identify the Office version that was used to create a document with VBA macros.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd)

December 22nd 2019 at 11:01
I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.0 Released, (Sat, Dec 21st)

December 21st 2019 at 09:57
Wireshark version 3.2.0 was released, with many improvements.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

More DNS over HTTPS: Become One With the Packet. Be the Query. See the Query, (Thu, Dec 19th)

December 19th 2019 at 16:38
Two days ago, I wrote about how to profile traffic to recognize DNS over HTTPS. This is kind of a problem for DNS over HTTPS. If you can see it, you may be able to block it. On Twitter, a few chimed in to provide feedback about recognizing DNS over HTTPS. I checked a couple of other clients, and well, didn't have a ton of time so this is still very preliminary:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Is it Possible to Identify DNS over HTTPs Without Decrypting TLS?, (Tue, Dec 17th)

December 17th 2019 at 03:47
Whenever I talk about DNS over HTTPS (DoH), the question comes up if it is possible to fingerprint DoH traffic without decrypting it. The idea is that something about DoH packets is different enough to identify them.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malicious .DWG Files?, (Mon, Dec 16th)

December 16th 2019 at 01:21
This weekend, I took a look at AutoCAD drawing files (.dwg) with embedded VBA macros.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VirusTotal Email Submissions, (Sun, Dec 15th)

December 15th 2019 at 12:13
I think it's a good idea to highlight VirusTotal's Email Submission feature, as I recently had to point this out to a couple of people.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

(Lazy) Sunday Maldoc Analysis: A Bit More ..., (Sat, Dec 14th)

December 14th 2019 at 20:08
At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.
❌