FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th)

February 11th 2021 at 07:17
While going through attachments of e-mails, which were caught in my e-mail quarantine since the beginning of February, I found an ISO file with what turned out to be a sample of the Agent Tesla infostealer. That, by itself, would not be that unusual, but the Agent Tesla sample turned out to be unconventional in more ways than one...
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft February 2021 Patch Tuesday, (Tue, Feb 9th)

February 9th 2021 at 20:20
This month we got patches for 56 vulnerabilities. Of these, 11 are critical, 1 is being exploited and 6 were previously disclosed.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Quickie: tshark & Malware Analysis, (Mon, Feb 8th)

February 8th 2021 at 19:08
The following screenshot drew my attention when I read Brad's diary entry "Excel spreadsheets push SystemBC malware":
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA v4.0.5, (Sat, Feb 6th)

February 6th 2021 at 22:50
YARA version 4.0.5 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VBA Macro Trying to Alter the Application Menus, (Fri, Feb 5th)

February 5th 2021 at 06:40
Who remembers the worm Melissa[1]? It started to spread in March 1999! In information security, it looks like speaking aboutΒ prehistory but I spotted a VBA macro that tried to use the same defensive technique as Melissa. Yes, back in 1999, attackers already tried to use techniques to defeat users' protections. The sample macro has a low VT score (7/44) (SHA256:386e1a60011ff0a818adff8c638005ec5015930c1b35d06cacc11f3ab53725d0)[2].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Abusing Google Chrome extension syncing for data exfiltration and C&C, (Thu, Feb 4th)

February 4th 2021 at 10:04
I had a pleasure (or not) of working on another incident where, among other things, attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. Some of the methods observed in analyzed code were pretty scary – from a defender’s point of view, as you will see further below in this diary.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New Example of XSL Script Processing aka "Mitre T1220", (Tue, Feb 2nd)

February 2nd 2021 at 08:06
Last week, Brad posted a diary about TA551[1]. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided to have a look at the macro, not because the code is heavily obfuscated but data are spread at different locations in the Word document.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st)

February 1st 2021 at 14:17
Over the last number of weeks (after the Solarwinds Orion news) there's been a lot of discussion on how to detect if a server-based applcation is compromised.Β  The discussions have ranged from buying new sophisticated tools, auditing the development pipeline, to diffing patches.Β  But really, for me it's as simple as saying "should my application server really be able to connect to any internet host on any protocol".Β  Let's take it one step further and say "should my application server really be able to connect to arbitrary hosts on tcp/443 or udp/53 (or any other protocol)".Β  And when you phrase it that way, the answer really should be a simple "no".
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.4.3 Released, (Sun, Jan 31st)

January 31st 2021 at 10:11
Wireshark version 3.4.3 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA v4.0.4, (Sun, Jan 31st)

January 31st 2021 at 10:06
YARA version 4.0.4 was released (right after version 4.0.3).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

PacketSifter as Network Parsing and Telemetry Tool, (Sat, Jan 30th)

January 30th 2021 at 14:13
I saw PacketSifter[1], a new package on Github and figure I would give it a try to test its functionality. It is described as "PacketSifter is a tool/script that is designed to aid analysts in sifting through a packet capture (pcap) to find noteworthy traffic. Packetsifter accepts a pcap as an argument and outputs several files." It is less than a month old, initial release 31 Dec 2020 and last update 22 days ago.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sensitive Data Shared with Cloud Services, (Fri, Jan 29th)

January 29th 2021 at 06:56
Yesterday was the data protection day in Europe[1]. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many companies around the world. This popular service allows you to create, edit and sign PDF documents. A few days ago, the database leak was released in the wild[2]:Β  14GB compressed, 77M credentials.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th)

January 28th 2021 at 00:02
Emotet malware in the form of malicious Word documents continued to make the rounds over the past weeks, and the samples initially often had pretty poor anti-virus coverage (Virustotal) .The encoding used by the maldoc is very similar to what Didier Stevens analyzed in his recent diary, and the same method can be used to extract the mal-code from the current Emotet docs.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop), (Wed, Jan 27th)

January 27th 2021 at 09:51
If you’re a regular reader of our Diaries, you may remember that over the last year and a half, a not insignificant portion of my posts has been devoted to discussing some of the trends in internet-connected systems. We looked at changes in the number of internet-facing machines affected by BlueKeep[1], SMBGhost[2], Shitrix[3] and several other vulnerabilities [4] as well as at the changes in TLS 1.3 support over time[5] and several other areas [6,7].Β  Today, we’re going to take a look at the tool, that I’ve used to gather data, on which the Diaries were based, from Shodan.io.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th)

January 25th 2021 at 17:49
DOH (DNS over HTTPS) has been implemented into the various browsers over the last year or so, and there's a fair amount of support for it on public DNS services.Β  Because it's encrypted and over TCP, the mantra of "because privacy" has carried the day it looks like.Β  But why do network and system admins hate it so?
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Video: Doc & RTF Malicious Document, (Sun, Jan 24th)

January 24th 2021 at 15:05
I made a video for my diary entry "Doc & RTF Malicious Document". And I show a new feature of my tool re-search.py, that helps with filtering URLs found in OOXML files.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

CyberChef: Analyzing OOXML Files for URLs, (Sat, Jan 23rd)

January 23rd 2021 at 09:39
In diary entry "Doc & RTF Malicious Document" I start analyzing a malicious Word document with my tools.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd)

January 22nd 2021 at 08:59
When hunting, one thing that I likeΒ to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the β€˜.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Powershell Dropping a REvil Ransomware, (Thu, Jan 21st)

January 21st 2021 at 10:13
I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces[1]. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VTΒ score: onlyΒ 1/59![2].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Gordon for fast cyber reputation checks, (Tue, Jan 19th)

January 19th 2021 at 03:15
Gordon quickly provides threat & risk information about observables
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Doc & RTF Malicious Document, (Mon, Jan 18th)

January 18th 2021 at 06:48
A reader pointed us to a malicious Word document.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)

January 17th 2021 at 11:53
Version 13.01 of Sysmon was released, a Windows Sysinternals tool to monitor and log system activity.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Obfuscated DNS Queries, (Fri, Jan 15th)

January 16th 2021 at 17:35
This week I started seeing some URL with /dns-query?dns in my honeypot[1][2]. The queries obviously did not look like a standard DNS queries, this got me curious and then proceeded to investigate to determine what these DNS query were trying to resolve.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)

January 14th 2021 at 10:16
Recently I had to analyze an Excel malicious file that was caught in the wild, in a real attack. The file was used in a spear phishing attack where a victim was enticed into opening the file with Excel and, of course, enabling macros.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft January 2021 Patch Tuesday, (Tue, Jan 12th)

January 12th 2021 at 18:45
This month we got patches for 83 vulnerabilities. Of these, 10 are critical, one was previously disclosed, and one is already being exploited according to Microsoft.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Using the NVD Database and API to Keep Up with Vulnerabilities and Patches - Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th)

January 11th 2021 at 16:27
Now with a firm approach to or putting an inventory and using the NVD API (https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Part+1+of+3/26958/ and https://isc.sans.edu/forums/diary/Using+the+NIST+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Playing+with+Code+Part+2+of+3/26964/), for any client I typically create 4 inventories:
❌