FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft July 2020 Patch Tuesday - Patch Now!, (Tue, Jul 14th)

July 14th 2020 at 17:54
This month we got patches for 123Β vulnerabilities. Of these, 17 are critical and 2 were previously disclosed.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VBA Project Passwords, (Mon, Jul 13th)

July 13th 2020 at 17:18
A VBA project can be protected with a read-password: a password you need to enter in order to be able to view and edit the VBA project in the VBA IDE.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Maldoc: VBA Purging Example, (Sun, Jul 12th)

July 12th 2020 at 22:08
An anonymous reader asked if the malicious document Brad discussed in his latest diary entry, was "purged". VBA purging means that the compiled VBA code (PerformanceCache) is missing.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th)

July 11th 2020 at 23:31
In the past 45 days, I noticed a surge of activity in my honeypot logs for home router exploitation. This is a summary of the various hosts and IP addresses with potential exploit packages available for download. What is also interesting is the fact that most URL were only IP based, no hostname associated with them. Some of the URL were improperly configured, they still contained the default private IP and a few other contained: YOURIPHERE.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th)

July 9th 2020 at 12:12
I just can't get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week [1]. Details with proof of concept code snippets were released yesterdayΒ [2].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

If You Want Something Done Right, You Have To Do It Yourself... Malware Too!, (Wed, Jul 8th)

July 8th 2020 at 05:13
I’m teaching FOR610[1] this week and todayΒ is dedicated to malicious web and document files. That’s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker'sΒ idea is to use a big array containing the second stage payload and interesting strings:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th)

July 7th 2020 at 20:12
While monitoring SANS Storm Center's honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Happy Birthday DShield: DShield.org was registered 20 years ago., (Tue, Jul 7th)

July 7th 2020 at 18:07
And all DShield wants for its Birthday is your logs :). See here for details.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th)

July 7th 2020 at 16:29
Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

CVE-2020-5902: F5 BIG-IP RCE Vulnerability, (Mon, Jul 6th)

July 6th 2020 at 11:06
A remote code execution vulnerability %%cve:2020-5902%% in F5's BIG-IP with CVSS score 10 is actively exploited.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

CVE-2020-5902 F5 BIG-IP Exploitation Attempt, (Sun, Jul 5th)

July 5th 2020 at 17:10
A quick heads-up: we are seeing scans for F5 BIG-IP's vulnerability %%cve:2020-5902%%.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.2.5 Released, (Sun, Jul 5th)

July 5th 2020 at 09:03
Wireshark version 3.2.5 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Happy FouRth of July from the Internet Storm Center, (Sat, Jul 4th)

July 4th 2020 at 07:44
For our readers in the United States, the 4th of July is Independence Day. As the 4th, under normal COVID-free circumstances, is typically celebrated with fireworks events, I thought I'd deviate a bit from information security topics and instead share a bit of code to create your own fireworks using R, a language and environment for statistical computing and graphics. My teams and I use R and Python constantly as part of security data analytics, particularly for data science and machine learning to further our detection practices and better identify anomalies of significance. You can follow along at home using RStudio as your IDE, and the latest version of R, 4.0.2 as this is written. All credit is due specifically to Edward Visel of Uptake, this is entirely his code, just modified ever so slightly for our purposes here. Edward was experimenting on his path to the perfect R-generated firework but I like each of them as variants in and of themselves. In the spirit of the old red, white, and blue, I selected three specific patterns, namely his explosion, particles and gnats, and the final firework. This work uses the tidyverse, sf, and gganimate packages, I pulled in magick to manipulate the resulting GIFs a bit. If you just want the TL;DR version, the results of the effort follows immediately, the code is in-line immediately thereafter. Happy 4th of July for those of you who celebrate it, cheers, stay safe and healthy to all!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Setting up the Dshield honeypot and tcp-honeypot.py, (Wed, Jul 1st)

July 2nd 2020 at 01:46
After Johannes did his Tech Tuesday presentation last week on setting up Dshield honeypots, I thought I'd walk you through how I setup my honeypots. I like to combine the Dshield honeypot with Didier Stevens' tcp-honeypot so I can capture more suspicious traffic. Today, I'll walk you through my setup using a VM hosted by Digital Ocean, though the steps would work for pretty much any cloud provider.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

ISC Snapshot: SpectX IP Hitcount Query, (Tue, Jun 30th)

June 30th 2020 at 05:53
SpectXΒ was the subject of an ISC postΒ on SpectX4DFIRΒ back in late April. Raido from SpectX provides us with a query to count hits from IPs during different time intervals.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sysmon and Alternate Data Streams, (Mon, Jun 29th)

June 29th 2020 at 16:09
Sysmon version 11.10, released a couple of days ago, adds support for capturing content of Alternate Data Streams.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


tcp-honeypot.py Logstash Parser & Dashboard Update, (Sun, Jun 28th)

June 28th 2020 at 11:54
This is an update for logstash and dashboard published in January for Didier's tcp-honeypot.py honeypot script. The parser has been updated to follow the Elastic Common Schema (ECE) format, parsing more information from the honeypot logs that include revised and additional dashboards.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Video: YARA's BASE64 Strings, (Sat, Jun 27th)

June 27th 2020 at 22:05
In diary entry YARA's BASE64 Strings, I explain the new BASE64 feature in YARA (we're at version 4.0.2 now).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release., (Thu, Jun 25th)

June 25th 2020 at 18:41
As mentioned during our "Tech Tuesday" session, the session itself was not recorded. Instead, I will be releasing three "stand alone" videos covering the major parts of the workshop.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th)

June 24th 2020 at 10:32
Probably anyone who has used any modern version of Windows is aware of their file-based shortcuts, also known as LNKs or Shell Link files. Although they were intended as a simple feature to make Windows a bit more user-friendly, over the years, a significant number[1] of vulnerabilities were identified in handling of LNKs. Many of these vulnerabilities lead to remote code execution and one (CVE-2010-2568) was even used in creation of the Stuxnet worm.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VMware security advisory VMSA-2020-0015, (Wed, Jun 24th)

June 24th 2020 at 06:42
VMware issued a new security advisory yesterday - VMSA-2020-0015[1]. It covers patches (in some cases still pending) for 10 different CVEs with a use-after-free vulnerability in ESXi, Workstation and Fusion being the most important one (CVSSv3 base score of 9.3).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider, (Mon, Jun 22nd)

June 23rd 2020 at 11:18
This post was written by SANS.edu graduate studentΒ Karim Lalji in cooperation with Johannes Ullrich.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Comparing Office Documents with WinMerge, (Mon, Jun 22nd)

June 22nd 2020 at 17:58
Sometimes I have to compare the internals of Office documents (OOXML files, e.g. ZIP container with XML files, …). Since they are ZIP containers, I have to compare the files within. I used to do this with with zipdump.py tool, but recently, I started to use WinMerge because of its graphical user interface.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red, (Sun, Jun 21st)

June 21st 2020 at 18:53
This week, I presented at SANSFIRE: SANS@MIC - Maldocs: a bit of blue, a bit of red.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Pi Zero HoneyPot , (Sat, Jun 20th)

June 20th 2020 at 01:49
The ISC has had a Pi honeypot(1) for the last couple of years, but I haven't had much time to try it on the Pi zero. Recently, I've had a chance to try it out, and it works great.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sigma rules! The generic signature format for SIEM systems., (Fri, Jun 19th)

June 19th 2020 at 09:52
What Snort is to network traffic, and YARA to files, is Sigma to logs. By creating and using Sigma rules you’ll have generic rules which can be shared and run against different targets (e.g. SIEMs).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Broken phishing accidentally exploiting Outlook zero-day, (Thu, Jun 18th)

June 18th 2020 at 09:33
When we think of zero-days, what comes to mind are usually RCEs or other high-impact vulnerabilities. Zero-days, however, come in all shapes and sizes and many of them are low impact, as is the vulnerability we’re going to discuss today. What is interesting about it, apart from it allowing a sender of an e-mail to include/change a link in an e-mail when it is forwarded by Outlook, is that I noticed it being exploited in a low-quality phishing e-mail by what appears to be a complete accident.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Odd "Protest" Spam (Scam?) Targeting Atlanta Police Foundation, (Tue, Jun 16th)

June 17th 2020 at 01:25
After the killing of Rayshard Brooks by Atlanta police this week, a lot of protests and anger was directed at the Atlanta police department and its officers. Yesterday, we received an odd spam message, that may be targeting the Atlanta Police Foundation. The Atlanta Police Foundation is a not-for-profit organization collecting funding for various causes related to the Atlanta police. The Atlanta Police Foundation has been quoted in several news reports regarding the low morale of officers and officer resignation. It is no surprise that it is within scope for protests online.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sextortion to The Next Level, (Tue, Jun 16th)

June 16th 2020 at 10:03
For a long time, our mailboxes are flooded with emails from β€œhackers” (note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about us (usually, men visiting adult websites) and request some money to be paid in Bitcoins or they will disclose everything. We already reported this kind of malicious activity for the first time in 2018[1]. Attacks evolved with time and they improved their communication by adding sensitive information like a real password (grabbed from major data leaks) or mobile phones.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

HTML based Phishing Run, (Mon, Jun 15th)

June 15th 2020 at 16:14
An intresting phishing run started over the weekend.Β  At first glance it looks pretty typical...a clumsy emailΒ with anΒ attachment with some vital and usefulΒ information.Β  Although I have already seen several different message bodies, this is one sample:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VMWare Security Advisory - VMSA-2020-0013 - https://www.vmware.com/security/advisories/VMSA-2020-0013.html, (Mon, Jun 15th)

June 15th 2020 at 13:55
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA's BASE64 Strings, (Sun, Jun 14th)

June 14th 2020 at 22:51
Since YARA version 4.0.0, Victor added support for detecting BASE64 encoded strings.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Mirai Botnet Activity, (Sat, Jun 13th)

June 13th 2020 at 18:35
This past week, I noticed new activity from the Mirai botnet in my honeypot. The sample log with the IP and file associated with the first log appears to have been taken down (96.30.193.26) which appeared multiple times this week including today. However, the last two logs from today are still active which is using a Bash script to download multiple exploits targeting various device types (MIPS, ARM4-7, MPSL, x86, PPC, M68k). Something else of interest is the User-Agent: XTC and the name viktor which appear to be linked to XTC IRC Botnet, aka Hoaxcalls.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Malicious Excel Delivering Fileless Payload, (Fri, Jun 12th)

June 12th 2020 at 05:51
Macros in Office documents are so common today thatΒ my honeypots and hunting scriptsΒ catchΒ a lot of them daily. I try to keep an eye on them because sometimes you can spot an interesting one (read: β€œusing a less common technique”).Β  Yesterday, I found such a sample that deserve a quick diary!
❌