FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Secure vs. cleartext protocols - couple of interesting stats, (Mon, Mar 2nd)

March 2nd 2020 at 06:08
For a very long time, there has been a strong effort aimed toward moving all potentially sensitive network-based communications from unencrypted protocols to the secure and encrypted ones. And with the recently released APWG report noting that 74% of phishing sites used HTTPS in the last quarter of 2019[1] and Apple’s supposed plan to start supporting only TLS certificates with no more than one year period of validity[2], I thought that this might be a good time to take a look the current protocol landscape on the internet. Specifically at how the support for protocols, which offer cryptographic protection to data in transit, has changed in relation to support of cleartext protocols in the last months.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Hazelcast IMDG Discover Scan, (Sat, Feb 29th)

February 29th 2020 at 18:04
Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Show me Your Clipboard Data!, (Fri, Feb 28th)

February 28th 2020 at 06:11
Yesterday I've read an article[1] about the clipboard on iPhonesΒ and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Offensive Tools Are For Blue Teams Too, (Thu, Feb 27th)

February 27th 2020 at 06:46
Many offensive tools can be very useful for defenders too. Indeed, if they can help to gather more visibility about the environment that must be protected, why not use them?Β More information you get, more you can be proactive and visibility is key.Β A good example is the combination of a certificate transparency list[1] with a domain monitoring tool like Dnstwist[2], you could spot domains that have been registered and associated with a SSL certificate: It's a good indicator that an attack is being prepared (like a phishing campaign).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

February 25th 2020 at 06:16
Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th)

February 24th 2020 at 18:44
Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

February 23rd 2020 at 21:54
I've mentioned Excel 4 macros before, a scripting technology that predates VBA.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

February 22nd 2020 at 12:28
Today, it’s easy to guess if a piece of code is malicious or not. Many security solutionsΒ automatically detonateΒ itΒ into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques existΒ to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st)

February 21st 2020 at 07:11
We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content,Β it’s always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word document that I quickly analysed. Thanks to him!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Whodat? Enumerating Who "owns" a Workstation for IR, (Thu, Feb 20th)

February 20th 2020 at 16:24
Eventually in almost every incident response situation, you have to start contacting the actual people who sit at the keyboard of affected stations.Β  Often you'll want them to step back from the keyboard or logout, for either remote forensics data collection or for remediation.Β  Or in the worst case, if you don't have remote re-imaging working in your shop, to either ship their station back to home base for re-imaging or to arrange a local resource to re-image the machien the hard way.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Discovering contents of folders in Windows without permissions, (Tue, Feb 18th)

February 18th 2020 at 06:17
I recently noticed an interesting side effect of the way in which Windows handles local file permissions, which makes it possible for a non-privileged user to brute-force contents of a folder for which they don’t have read access (e.g. Read or List folder contents) permissions. It is possible that it is a known technique, however as I didn’t find any write-ups on it anywhere, I thought I’d share it here.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

curl and SSPI, (Mon, Feb 17th)

February 17th 2020 at 18:09
There's an interesting comment on Xavier's diary entry "Keep an Eye on Command-Line Browsers" (paraphrasing): a proxy with authentication will prevent wget and curl to access the Internet because they don't do integrated authentication.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

SOAR or not to SOAR?, (Sun, Feb 16th)

February 16th 2020 at 17:22
Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

bsdtar on Windows 10, (Sat, Feb 15th)

February 15th 2020 at 19:23
Reading Xavier's diary entry "Keep an Eye on Command-Line Browsers", I wondered when exactly curl was introduced in Windows 10?
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

February 14th 2020 at 06:26
For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type β€˜curl.exe’ on your Windows 10 host:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Auth-mageddon deferred (but not averted), Microsoft LDAP Changes now slated for Q3Q4 2020, (Thu, Feb 13th)

February 13th 2020 at 13:47
Good news, sort-of - - Microsoft has deferred their March changes to LDAP, citing the Christmas change freeze that most sensible organizations implement as their reason:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

March Patch Tuesday is Coming - the LDAP Changes will Change Your Life!, (Wed, Feb 12th)

February 13th 2020 at 01:21
Next month Microsoft will be changing the default behaviour for LDAP - Cleartext, unsigned LDAP queries against AD (over port 389) will be disabled by default -Β https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windowsΒ  .Β  You'll still be able to over-ride that using registry keys or group policy, but the best advice is to configure all LDAP clients to use encrypted, signed LDAPS queries (over port 636).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Current PayPal phishing campaign or "give me all your personal information", (Mon, Feb 10th)

February 10th 2020 at 08:27
One of my colleagues sent me a new PayPal phishing e-mail today. Although it was fairly usual, as phishing e-mails go, since the campaign is still active and since it shows the current "let’s take all that we can get" mentality of the attackers quite well, I thought it was worth a short diary.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Sandbox Detection Tricks & Nice Obfuscation in a Single VBScript , (Fri, Feb 7th)

February 7th 2020 at 07:40
I found an interesting VBScript sample that is a perfect textbook case for training or learning purposes. It implements a nice obfuscation technique as well as many classic sandbox detection mechanisms. The script is a dropper:Β it extracts from its code a DLL that will beΒ loaded if the script is running outside of a sandbox. Its current VT score is 25/57 (SHA256: 29d3955048f21411a869d87fb8dc2b22ff6b6609dd2d95b7ae8d269da7c8cc3d)[1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Analysis of a triple-encrypted AZORult downloader, (Mon, Feb 3rd)

February 3rd 2020 at 07:07
I recently came across an interesting malicious document. Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. However, although it does use macros as one might expect, in the end, it turned out not to be the usual simple maldoc as the following chart indicates.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Video: Stego & Cryptominers, (Sun, Feb 2nd)

February 2nd 2020 at 13:27
A couple of months ago, I read a blog post about malware, cryptominers and WAV file steganography: malware authors are concealing cryptominers in sound files (WAV) using steganography. Each bit of the cryptominer executable is stored as the least-significant bit of each Pulse Code Modulation value (16-bit values in this example).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.1 Released, (Sat, Feb 1st)

February 1st 2020 at 11:31
Wireshark version 3.2.1 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)

January 27th 2020 at 17:31
With the new Coronavirus outbreak starting to dominate the news, I want to go over some cybersecurity effects of a disease like this that you should prepare for.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Is Threat Hunting the new Fad?, (Sat, Jan 25th)

January 26th 2020 at 12:08
Over the past two years a lot of articles, processes, techniques and tools have been published on how to do Threat Hunting. I have been following the trend with great interest whether it be which process works best, methods and procedures to follow and adapt to your environment, and finally logs or tools that can help the hunt.
❌