FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)

March 17th 2020 at 15:25
DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. For smaller organizations, even an average attack can be devastating.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Desktop.ini as a post-exploitation tool, (Mon, Mar 16th)

March 16th 2020 at 07:15
Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VPN Access and Activity Monitoring, (Sun, Mar 15th)

March 15th 2020 at 22:39
Because most individuals are going to have to work remotely from home, the activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP/UDP 443, IPsec/IKEv2 UDP 500/4500) with their associated logs to ensure these services are accessed by the right individuals and are not abused, exploited or compromised. It will be very important the VPN service is patched and up-to-date because there will be way more scrutiny (scanning) against these services. Capturing metrics about performance and availability will be very important to ensure mission critical systems and applications can be accessed to avoid downtime.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Phishing PDF With Incremental Updates., (Sat, Mar 14th)

March 14th 2020 at 21:54
Someone asked me for help with this phishing PDF.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC), (Fri, Mar 13th)

March 13th 2020 at 11:39
VMware Security Avisory VMSA-2020-0004 ( https://www.vmware.com/security/advisories/VMSA-2020-0004.html ) outlines a fix for a user-after-free bug in vmnetdhcp that allows guests to execute code in the host.Β  Affected platforms are: VMware Workstation Pro / Player, VMware Fusion Pro / Fusion, VMware Horizon Client for Windows, VMware Remote Console for Windows (VMRC for Windows)
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Not all Ethernet NICs are Created Equal - Trying to Capture Invalid Ethernet Frames, (Fri, Mar 13th)

March 13th 2020 at 01:08
This all started with a simple request.Β  A client had purchased some new, shiny networking gear, and in each failover pair the active unit was sending 1 "Runt" per second.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account, (Wed, Mar 11th)

March 11th 2020 at 09:06
For a few days, there are new waves of Agent Tesla[1] landing in our mailboxes. I found one that uses two new "channels" to deliver the trojan.Β Today, we can potentially receive notifications and files from many types of systems or devices. I found a phishing sample that tries to hide behind a Canon EOS camera notification. Not very well designed but it’s uncommon to see this.Β It started with a simple email:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft Patch Tuesday March 2020, (Tue, Mar 10th)

March 11th 2020 at 00:04
Microsoft today released patches for a total of 117 vulnerabilities. 25 of these vulnerabilities are rated critical. None of the vulnerabilities had been disclosed before today. Microsoft also has not seen any of them exploited in the wild.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Malicious Spreadsheet With Data Connection and Excel 4 Macros, (Mon, Mar 9th)

March 9th 2020 at 18:19
Reader Carsten submitted an interesting malicious spreadsheet: c2af8b309a9ce65e9ac67c6d3c3acbe7.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Excel Maldocs: Hidden Sheets, (Sun, Mar 8th)

March 8th 2020 at 23:01
Sheets in Excel workbooks can be hidden. To unhide them, right-click a sheet tab and select "Unhide":
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Chain Reactor: Simulate Adversary Behaviors on Linux, (Sat, Mar 7th)

March 7th 2020 at 04:25
I am an advocate for the practice of adversary emulation to ensure detection efficacy. Candidly, I don’t consider a detection production-ready until it has been validated with appropriate adversary emulation to ensure the required triggers, alerts, and escalations are met. In many cases, basic human interaction can simulate the adversary per specific scenarios, but this doesn’t scale well. Applications and services to aid in this cause are essential. A couple of years ago IΒ discussed APTSimulatorΒ as a means by which to test and simulate theΒ HELK, but I haven’t given proper attention to adversary emulation on Linux. To that end,Β Chain ReactorΒ β€œis an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints. Executables can perform sequences of actions like process creation, network connections and more, through the simple configuration of a JSON file.”
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A Safe Excel Sheet Not So Safe, (Fri, Mar 6th)

March 6th 2020 at 06:49
I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as β€œsuspicious” by a security appliance. The recipient asked to release the mail from the quarantine because β€œit was sent from a known contact”. Before releasing such a mail from the quarantine, the process in place is to have a quick look at the file to ensure that it is safe to be released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Will You Put Your Password in a Survey?, (Thu, Mar 5th)

March 5th 2020 at 06:40
Thanks to one of our readers who submitted this interesting piece of phishing. Personally, I was not aware of this technique which is interesting to bypass common anti-spam filter and reputation systems. The idea is to create a fake survey on a well-known online service.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Let's Encrypt Revoking 3 Million Certificates, (Wed, Mar 4th)

March 4th 2020 at 15:31
Let's Encrypt announced that they will be revoking a large number of certificates today. The revocation is due to an error in how "CAA" records were validated for these certificates.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Secure vs. cleartext protocols - couple of interesting stats, (Mon, Mar 2nd)

March 2nd 2020 at 06:08
For a very long time, there has been a strong effort aimed toward moving all potentially sensitive network-based communications from unencrypted protocols to the secure and encrypted ones. And with the recently released APWG report noting that 74% of phishing sites used HTTPS in the last quarter of 2019[1] and Apple’s supposed plan to start supporting only TLS certificates with no more than one year period of validity[2], I thought that this might be a good time to take a look the current protocol landscape on the internet. Specifically at how the support for protocols, which offer cryptographic protection to data in transit, has changed in relation to support of cleartext protocols in the last months.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Hazelcast IMDG Discover Scan, (Sat, Feb 29th)

February 29th 2020 at 18:04
Today my honeypot has been capturing scans for the Hazelcast REST API. I checked my logs for the past 2 years and these only started today. The last vulnerability published for Hazelcast was CVE-2018-10654 and related to "There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3."[3]
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Show me Your Clipboard Data!, (Fri, Feb 28th)

February 28th 2020 at 06:11
Yesterday I've read an article[1] about the clipboard on iPhonesΒ and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Offensive Tools Are For Blue Teams Too, (Thu, Feb 27th)

February 27th 2020 at 06:46
Many offensive tools can be very useful for defenders too. Indeed, if they can help to gather more visibility about the environment that must be protected, why not use them?Β More information you get, more you can be proactive and visibility is key.Β A good example is the combination of a certificate transparency list[1] with a domain monitoring tool like Dnstwist[2], you could spot domains that have been registered and associated with a SSL certificate: It's a good indicator that an attack is being prepared (like a phishing campaign).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

February 25th 2020 at 06:16
Since I was exposed to three different online scam campaigns in the last three weeks, without having to go out and search for them, I thought that today might be a good time to take a look at how some of the current online scams work.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th)

February 24th 2020 at 18:44
Philippe Lagadec, the developer of ole-tools, pointed out something interesting about the following maldoc sample (MD5 a0457c2728923cb46e6d9797fe7d81dd): it contains both Excel 4 macros and VBA code.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd)

February 23rd 2020 at 21:54
I've mentioned Excel 4 macros before, a scripting technology that predates VBA.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)

February 22nd 2020 at 12:28
Today, it’s easy to guess if a piece of code is malicious or not. Many security solutionsΒ automatically detonateΒ itΒ into a sandbox by security solutions. This remains quick and (most of the time still) efficient to have a first idea about the code behaviour. In parallel, many obfuscation techniques existΒ to avoid detection by AV products and/or make the life of malware analysts more difficult. Personally, I like to find new techniques and discover how imaginative malware developers can be to implement new obfuscation techniques.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st)

February 21st 2020 at 07:11
We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content,Β it’s always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word document that I quickly analysed. Thanks to him!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Whodat? Enumerating Who "owns" a Workstation for IR, (Thu, Feb 20th)

February 20th 2020 at 16:24
Eventually in almost every incident response situation, you have to start contacting the actual people who sit at the keyboard of affected stations.Β  Often you'll want them to step back from the keyboard or logout, for either remote forensics data collection or for remediation.Β  Or in the worst case, if you don't have remote re-imaging working in your shop, to either ship their station back to home base for re-imaging or to arrange a local resource to re-image the machien the hard way.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Discovering contents of folders in Windows without permissions, (Tue, Feb 18th)

February 18th 2020 at 06:17
I recently noticed an interesting side effect of the way in which Windows handles local file permissions, which makes it possible for a non-privileged user to brute-force contents of a folder for which they don’t have read access (e.g. Read or List folder contents) permissions. It is possible that it is a known technique, however as I didn’t find any write-ups on it anywhere, I thought I’d share it here.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

curl and SSPI, (Mon, Feb 17th)

February 17th 2020 at 18:09
There's an interesting comment on Xavier's diary entry "Keep an Eye on Command-Line Browsers" (paraphrasing): a proxy with authentication will prevent wget and curl to access the Internet because they don't do integrated authentication.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

SOAR or not to SOAR?, (Sun, Feb 16th)

February 16th 2020 at 17:22
Security, Orchestration, Automation and Response (SOAR) allow organizations to collect data about security threats from multiple sources to automate an appropriate response on repetitive tasks. As an analyst you need to juggle and pivot several times a day between multiple tools and devices to evaluate a huge amount information and deal with flood of repetitive tasks such as alerts, tickets, email, threat intelligence data, etc. The end goal is to centralize everything in one location to improve analysis using captured institutionalized knowledge.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

bsdtar on Windows 10, (Sat, Feb 15th)

February 15th 2020 at 19:23
Reading Xavier's diary entry "Keep an Eye on Command-Line Browsers", I wondered when exactly curl was introduced in Windows 10?
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)

February 14th 2020 at 06:26
For a few weeks, I’m searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type β€˜curl.exe’ on your Windows 10 host:
❌