FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Video: Stego & Cryptominers, (Sun, Feb 2nd)

February 2nd 2020 at 13:27
A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.1 Released, (Sat, Feb 1st)

February 1st 2020 at 11:31
Wireshark version 3.2.1 was released.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

January 27th 2020 at 17:31
With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

January 26th 2020 at 12:08
Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Complex Obfuscation VS Simple Trick, (Thu, Jan 23rd)

January 23rd 2020 at 07:25
Today, I would like to make a comparison between two techniques applied to malicious code to try to bypass AV detection.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

DeepBlueCLI: Powershell Threat Hunting, (Tue, Jan 21st)

January 21st 2020 at 06:13
Happy New Year! Those among you who participated in the SANS Holiday Hack Challenge, also known as Kringlecon 2, this holiday season may have found themselves exposed to new tools or the opportunity to utilize one or two that had not hit your radar prior. Such was the case for me with DeepBlueCLI, a PowerShell module for threat hunting via Windows Event Logs.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits Update, (Mon, Jan 20th)

January 20th 2020 at 04:21
In today's diary, I am summarizing the current state of attacks exploiting the Citrix ADC vulnerability (CVE-2019-19781), using data from our SANS ISC honeypots. Our first two posts about this topic are here: [1] [2].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)

January 16th 2020 at 21:55
Last 24 hours have been extremely interesting – this month’s patch Tuesday by Microsoft brought to us 2 very interesting (and critical) vulnerabilities. The first one, the “BlueKeep” like remote code execution vulnerability in Remote Desktop Gateway (CVE-2020-0609, CVE-2020-0610) has been kind of ignored, although it’s really critical … so I guess I’ll continue doing that in this diary (but rest assured that we are keeping an eye on the RDG vulnerability as well).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Picks of 2019 malware - the large, the small and the one full of null bytes, (Thu, Jan 16th)

January 16th 2020 at 06:57
Although less than two days have gone by since the latest release of MSFT patches, I find that it would actually be hard to add anything interesting to them that hasn’t been discussed before, as the most important vulnerabilities (couple of RCEs and an interesting vulnerability in CryptoAPI) seemed to be all anyone talked about for the last 24 hours. If you didn’t hear anything about it, I suggest you take a look at the ISC coverage of the CryptoAPI vulnerability[1] as well as the Patch Tuesday overview[2]. But for the rest of us, I thought today might be a good day to take a short break from this topic and take a look at what the last year brought us instead.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

CVE-2020-0601 Followup, (Wed, Jan 15th)

January 16th 2020 at 02:52
Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft Patch Tuesday for January 2020, (Tue, Jan 14th)

January 14th 2020 at 21:22
[Special Note: we will have a special webcast on this topic at noon ET tomorrow (Wednesday, January 15th. See https://sans.org/cryptoapi-isc )
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits: Overview of Observed Payloads, (Mon, Jan 13th)

January 13th 2020 at 10:34
If you missed Johannes' diary entry "Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor" this Saturday, make sure to read it first.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th)

January 12th 2020 at 23:51
In my last two diaries, I shared a Pihole parser and dashboard to collect and view its logs in Elastic. In this diary, I'm sharing another parser and dashboard to visualize the data collected by Didier's tcp-honeypot. This is a work in progress. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)

January 11th 2020 at 20:52
IMPORTANT UPDATE: CITRIX announced that a patch will be released on January 20th for Citrix ADC 11/12 and 13. Version 10 will have to wait until January 31st.  (https://support.citrix.com/article/CTX267027)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

More Data Exfiltration, (Fri, Jan 10th)

January 10th 2020 at 06:38
Yesterday,  I posted a quick analysis of a malicious document that exfiltrates data from the compromised computer[1]. Here is another found that also exfiltrate data. The malware is delivered in an ACE archive. This file format remains common in phishing campaigns because the detection rate is lower at email gateways (many of them can’t handle the file format). The archive contains a PE file called ‘Payment Copy.exe’ (SHA256:88a6e2fd417d145b55125338b9f53ed3e16a6b27fae9a3042e187b5aa15d27aa). The payload is unknown on VT at this time.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)

January 9th 2020 at 12:15
Yesterday, one of our readers (thank David!) submitted to us a malicious document disguised as a UPS invoice. Like David, do not hesitate to share samples with us, we like malware samples! I briefly checked the document. Nothing new, based on a classic macro, it was easy to analyze and I can give you an overview of the infection process and what kind of data can be exfiltrated.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Windows 7 - End of Life, (Thu, Jan 9th)

January 9th 2020 at 02:41
A quick reminder note today for everyone. Microsoft Windows 7 operating system is at End of Life on January 14, 2020. [1] 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)

January 7th 2020 at 13:16
For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. But other sources I consider credible have indicated that they were able to create a code execution exploit.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

SNMP service: still opened to the public and still queried by attackers, (Mon, Jan 6th)

January 6th 2020 at 21:05
Simple Network Management Protocol (SNMP) is a UDP service that runs on port 161/UDP. It is used for network management purposes and should be reachable only from known locations using secure channels.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)

January 6th 2020 at 05:05
Justin C alerted me in our Slack channel that GreyNoise, a commercial system similar to DShield, noted a large increase in the number of sources scanning. We do have these "Spikes" from time to time and had one for the last two days. Artifacts are usually not lasting that long, and we also did not have a notable change in the number of submitters. So I took a quick look at the data, and here is what I found:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)

January 5th 2020 at 12:48
Over the holidays, I wanted to look into a packet capture file I created on Windows with a "netsh trace" command. Such an .etl file created with a "netsh trace" command can not be opened with Wireshark, you have to use Microsoft Message Analyzer.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

KringleCon 2019, (Sat, Jan 4th)

January 4th 2020 at 17:26
The SANS Holiday Hack Challenge is an annual, free CTF.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

CCPA - Quick Overview, (Fri, Jan 3rd)

January 3rd 2020 at 05:04
It's been quiet lately.  Hopefully, it is not a calm before a storm if you will.  I crawled out from under my rock and found that the State of California law that offers new consumer protection went into effect Jan 1, 2020.   So I poked around the Interwebs to learn about what to expect.  For what it's worth, I am not a resident of California so I am not particularly entitled to these new protections today.  I do think it is a sign of what is coming.   Europe implemented the General Data Protection Regulation a couple of years ago.  There are more states adopting more consumer protections each year.  Let's hope they have enough teeth to have an impact.  I took some time to read through the law [1] to highlight it for you.  Please note, I am not an attorney or even have interest in being one.  Let's take a look.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Ransomware in Node.js, (Thu, Jan 2nd)

January 2nd 2020 at 08:09
Happy new year to all! I hope that you enjoyed the switch to 2020! From a security point of view, nothing changed and malicious code never stops trying to abuse our resources even during the holiday season. Here is a sample that I spotted two days ago. It’s an interesting one because it’s a malware that implements ransomware features developed in Node.js[1]! The stage one is not obfuscated and I suspect the script to be a prototype or a test… It has been submitted to VT from Bahrein (SHA256:90acae3f682f01864e49c756bc9d46f153fcc4a7e703fd1723a8aa7ec01b378c) and has currently a score of 12/58[2].
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

"Nim httpclient/1.0.4", (Wed, Jan 1st)

January 1st 2020 at 18:12
"Nim httpclient/1.0.4" is the default User Agent string of the httpClient module of the Nim programming language (stable release).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Some Thoughts About the Critical Citrix ADC/Gateway Vulnerability (CVE-2019-19781), (Tue, Dec 31st)

December 31st 2019 at 18:52
[a recording of our special webcast will be available soon.  [Download PPT Files]]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Miscellaneous Updates to our "Threatfeed" API, (Mon, Dec 30th)

December 30th 2019 at 01:22
Much of the data offered by us is available via our API [1]. A popular feature of our API is our "threat feeds." We use them to distribute lists of IP addresses and hostnames that you may want to block. In particular, our feeds of mining pool IPs and hosts used by Shodan are popular. This weekend, I added a feed for Onyphe [2]. Onyphe is comparable to Shodan, and I do see a lot of scans from them lately, which is why I added the feed. While I was messing with the API, I also added the ability to retrieve hostnames in addition to IP addresses.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

ELK Dashboard for Pihole Logs, (Sun, Dec 29th)

December 29th 2019 at 19:48
In my last Pihole Diary, I shared a Pihole parser to collect its logs and stored them into Elastic. In this diary, I'm sharing a dashboard to visualize the Pihole DNS data. Here are some of the output from the dashboard.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Corrupt Office Documents, (Sat, Dec 28th)

December 28th 2019 at 17:38
My tool to analyze CFBF files, oledump.py, is not only used to analyze malicious Office documents.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Enumerating office365 users, (Fri, Dec 27th)

December 27th 2019 at 19:19
I found a pretty strange request in a University Firewall being sent over and over:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

December 26th 2019 at 07:53
First of all, Merry Christmas to all our readers! I hope you're enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].
❌