FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Video: YARA's BASE64 Strings, (Sat, Jun 27th)

June 27th 2020 at 22:05
In diary entry YARA's BASE64 Strings, I explain the new BASE64 feature in YARA (we're at version 4.0.2 now).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release., (Thu, Jun 25th)

June 25th 2020 at 18:41
As mentioned during our "Tech Tuesday" session, the session itself was not recorded. Instead, I will be releasing three "stand alone" videos covering the major parts of the workshop.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th)

June 24th 2020 at 10:32
Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMware security advisory VMSA-2020-0015, (Wed, Jun 24th)

June 24th 2020 at 06:42
VMware issued a new security advisory yesterday - VMSA-2020-0015[1]. It covers patches (in some cases still pending) for 10 different CVEs with a use-after-free vulnerability in ESXi, Workstation and Fusion being the most important one (CVSSv3 base score of 9.3).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider, (Mon, Jun 22nd)

June 23rd 2020 at 11:18
This post was written by SANS.edu graduate student Karim Lalji in cooperation with Johannes Ullrich.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Comparing Office Documents with WinMerge, (Mon, Jun 22nd)

June 22nd 2020 at 17:58
Sometimes I have to compare the internals of Office documents (OOXML files, e.g. ZIP container with XML files, …). Since they are ZIP containers, I have to compare the files within. I used to do this with with zipdump.py tool, but recently, I started to use WinMerge because of its graphical user interface.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red, (Sun, Jun 21st)

June 21st 2020 at 18:53
This week, I presented at SANSFIRE: SANS@MIC - Maldocs: a bit of blue, a bit of red.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Pi Zero HoneyPot , (Sat, Jun 20th)

June 20th 2020 at 01:49
The ISC has had a Pi honeypot(1) for the last couple of years, but I haven't had much time to try it on the Pi zero. Recently, I've had a chance to try it out, and it works great. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Sigma rules! The generic signature format for SIEM systems., (Fri, Jun 19th)

June 19th 2020 at 09:52
What Snort is to network traffic, and YARA to files, is Sigma to logs. By creating and using Sigma rules you’ll have generic rules which can be shared and run against different targets (e.g. SIEMs).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Broken phishing accidentally exploiting Outlook zero-day, (Thu, Jun 18th)

June 18th 2020 at 09:33
When we think of zero-days, what comes to mind are usually RCEs or other high-impact vulnerabilities. Zero-days, however, come in all shapes and sizes and many of them are low impact, as is the vulnerability we’re going to discuss today. What is interesting about it, apart from it allowing a sender of an e-mail to include/change a link in an e-mail when it is forwarded by Outlook, is that I noticed it being exploited in a low-quality phishing e-mail by what appears to be a complete accident.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Odd "Protest" Spam (Scam?) Targeting Atlanta Police Foundation, (Tue, Jun 16th)

June 17th 2020 at 01:25
After the killing of Rayshard Brooks by Atlanta police this week, a lot of protests and anger was directed at the Atlanta police department and its officers. Yesterday, we received an odd spam message, that may be targeting the Atlanta Police Foundation. The Atlanta Police Foundation is a not-for-profit organization collecting funding for various causes related to the Atlanta police. The Atlanta Police Foundation has been quoted in several news reports regarding the low morale of officers and officer resignation. It is no surprise that it is within scope for protests online.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Sextortion to The Next Level, (Tue, Jun 16th)

June 16th 2020 at 10:03
For a long time, our mailboxes are flooded with emails from “hackers” (note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about us (usually, men visiting adult websites) and request some money to be paid in Bitcoins or they will disclose everything. We already reported this kind of malicious activity for the first time in 2018[1]. Attacks evolved with time and they improved their communication by adding sensitive information like a real password (grabbed from major data leaks) or mobile phones.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

HTML based Phishing Run, (Mon, Jun 15th)

June 15th 2020 at 16:14
An intresting phishing run started over the weekend.  At first glance it looks pretty typical...a clumsy email with an attachment with some vital and useful information.  Although I have already seen several different message bodies, this is one sample:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

VMWare Security Advisory - VMSA-2020-0013 - https://www.vmware.com/security/advisories/VMSA-2020-0013.html, (Mon, Jun 15th)

June 15th 2020 at 13:55
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA's BASE64 Strings, (Sun, Jun 14th)

June 14th 2020 at 22:51
Since YARA version 4.0.0, Victor added support for detecting BASE64 encoded strings.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Mirai Botnet Activity, (Sat, Jun 13th)

June 13th 2020 at 18:35
This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malicious Excel Delivering Fileless Payload, (Fri, Jun 12th)

June 12th 2020 at 05:51
Macros in Office documents are so common today that my honeypots and hunting scripts catch a lot of them daily. I try to keep an eye on them because sometimes you can spot an interesting one (read: “using a less common technique”).  Yesterday, I found such a sample that deserve a quick diary!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Anti-Debugging JavaScript Techniques, (Thu, Jun 11th)

June 11th 2020 at 06:28
For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the side of the table you’re sitting ;-).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft June 2020 Patch Tuesday, (Tue, Jun 9th)

June 9th 2020 at 18:02
This month we got patches for 130 vulnerabilities. Of these, 12 are critical and none of them was previously disclosed or is being exploited according to Microsoft. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Translating BASE64 Obfuscated Scripts, (Mon, Jun 8th)

June 8th 2020 at 20:03
I often get requests for help with deobfuscating scripts. I have several tools that can help.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Cyber Security for Protests, (Fri, Jun 5th)

June 6th 2020 at 14:42
Modern-day protests are as much about social media and voicing your opinions online, as they are about showing up "in person". When attending a protest, it is important to keep some basic rules in mind to stay secure. Of course, it is always best to leave expensive electronics at home, but live streaming, posting to social media, and recording events at the protest is very much a part of modern protests. The other option is to only take a relatively cheap "burner phone" with you that does not have any of your personal data associated with it. But even a cheap, but reasonably functional phone will be too expensive for most.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Not so FastCGI!, (Fri, Jun 5th)

June 5th 2020 at 08:27
This past month, we've seen some new and different scans targeting tcp ports between 8000 and 10,000. The first occurrence was on 30 April 2020 and originated from ip address %%ip:23.95.67.187%% and containing payload:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Suspending Suspicious Domain Feed / Update to Researcher IP Feed, (Thu, Jun 4th)

June 4th 2020 at 11:57
Yesterday, Peter from DNSFilter send us a message noting that many of the domains in our "Suspicious Domain" feed no longer resolved, and some of the feeds we used as input were no longer maintained. After investigating, I have to agree with him. The remaining feeds don't make a valuable service at this point. The idea of the "Suspicious Domain" list was to aggregate different lists, but with essentially only 1 or 2 lists left, that doesn't make sense and I decided to no longer maintain the feed until we find new inputs. The respective files will still be offered by they are empty to not break any existing scripts that use them (they are quite popular).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Anti-Debugging Technique based on Memory Protection, (Thu, Jun 4th)

June 4th 2020 at 07:27
Many modern malware samples implement defensive techniques. First of all, we have to distinguish sandbox-evasion and anti-debugging techniques. Today, sandboxes are an easy and quick way to categorize samples based on their behavior. Malware developers have plenty of tests to perform to detect the environment running their code. There are plenty of them, some examples: testing the disk size, the desktop icons, the uptime, processes, network interfaces MAC addresses, hostnames, etc.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Stackstrings, type 2, (Mon, Jun 1st)

June 2nd 2020 at 20:13
Update 1: Added disassembler output.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

XLMMacroDeobfuscator: An Update, (Mon, Jun 1st)

June 1st 2020 at 19:34
XLMMacroDeobfuscator is an open-source tool to deobfuscate Excel 4 macros. I wrote diary entries about it here and here.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Windows 10 Built-in Packet Sniffer - PktMon, (Sun, May 31st)

May 31st 2020 at 19:59
Microsoft released with the October 2018 Update a built-in packet sniffer for Windows 10 located in C:\Windows\system32\PktMon.exe. At ISC we like packets and this is one of the multiple ways to capture packets and send us a copy for analysis. Rob previously published another way of capturing packets in Windows here. If Windows 10 was compromised, this application would be a prime target by malicious actors and it need to be monitored, protected or removed in an enterprise.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA v4.0.1, (Sat, May 30th)

May 30th 2020 at 08:07
A couple of weeks ago, YARA 4.0.0. was released with support for BASE64 strings.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

The Impact of Researchers on Our Data, (Fri, May 29th)

May 29th 2020 at 17:07
Researchers have been using various tools to perform internet-wide scans for many years. Some will publish data continuously to either notify users of infected or misconfigured systems. Others will use the data to feed internal proprietary systems, or publish occasional research papers.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Flashback on CVE-2019-19781, (Thu, May 28th)

May 28th 2020 at 10:13
First of all, did you know that the Flame[1] malware turned 8 years today! Happy Birthday! This famous malware discovered was announced on May 28th, 2012. The malware was used for targeted cyber espionage activities in the Middle East area. If this malware was probably developed by a nation-state organization. It infected a limited amount of hosts (~1000 computers[3]) making it a targeted attack.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Frankenstein's phishing using Google Cloud Storage, (Wed, May 27th)

May 27th 2020 at 08:39
Phishing e-mail messages and/or web pages are often unusual in one way or another from the technical standpoint – some are surprisingly sophisticated, while others are incredibly simple, and sometimes they are a very strange mix of the two. The latter was the case with an e-mail, which our company e-mail gateway caught last week – some aspects of it appeared to be professionally done, but others screamed that the author was a “beginner” at best.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Seriously, SHA3 where art thou?, (Tue, May 26th)

May 26th 2020 at 19:18
A couple weeks ago, Rob wrote a couple of nice diaries. In our private handlers slack channel I was joking after the first one about whether he was going to rewrite CyberChef in PowerShell. After the second I asked what about SHA3? So, he wrote another one (your welcome for the diary ideas, Rob). I was only half joking.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Zloader Maldoc Analysis With xlm-deobfuscator, (Sun, May 24th)

May 25th 2020 at 07:09
Reader Roland submitted a malicious Zloader Excel 4 macro spreadsheet (MD5 82c12e7fe6cabf5edc0bdaa760b4b8c8).
❌