FreshRSS

🔒
△ 🔃
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Hunting phishing websites with favicon hashes, (Mon, Apr 19th)

April 19th 2021 at 09:05
HTTP favicons are often used by bug bounty hunters and red teamers to discover vulnerable services in a target AS or IP range. It makes sense – since different tools (and sometimes even different versions of the same tool) use different favicons[1] and services such as Shodan calculate MurmurHash values[2] for all favicons they discover and let us search through them, it can be quite easy to find specific services and devices this way.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Decoding Cobalt Strike Traffic, (Sun, Apr 18th)

April 18th 2021 at 11:42
In diary entry "Example of Cleartext Cobalt Strike Traffic (Thanks Brad)" I share a capture file I found with unencrypted Cobalt Strike traffic. The traffic is unencrypted since the malicious actors used a trial version of Cobalt Strike.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Querying Spamhaus for IP reputation, (Fri, Apr 16th)

April 17th 2021 at 03:07
Way back in 2018 I posted a diary describing how I have been using the Neutrino API to do IP reputation checks.  In the subsequent 2+ years that python script has evolved some which hopefully I can go over at some point in the future, but for now I would like to show you the most recent capability I added into that script.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

HTTPS Support for All Internal Services, (Fri, Apr 16th)

April 16th 2021 at 05:42
SSL/TLS has been on stage for a while with deprecated protocols[1], free certificates for everybody[2]. The landscape is changing to force more and more people to switch to encrypted communications and this is good! Like Johannes explained yesterday[3], Chrome 90 will now append "https://" by default in the navigation bar. Yesterday diary covered the deployment of your own internal CA to generate certificates and switch everything to secure communications. This is a good point. Especially, by deploying your own root CA, you will add an extra  string to your securitybow: SSL interception and inspection.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Why and How You Should be Using an Internal Certificate Authority, (Thu, Apr 15th)

April 15th 2021 at 12:56
Yesterday, Google released Chrome 90, and with that "HTTPS" is becoming the default protocol if you enter just a hostname into the URL bar without specifying the protocol [1]. This is the latest indication that the EFF's "HTTPS Everywhere" initiative is succeeding [2][3]. Browsers are more and more likely to push users to encrypted content. While I applaud this trend, it does have a downside for small internal sites that often make it difficult to configure proper certificates. In addition, browsers are becoming pickier as to what certificates they accept. For example, in the "good old days", I could set up internal certificates that were valid for 10 years, not having to worry about the expiring. Currently, browsers will reject certificates valid for more than 13 months (398 days) [4]. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Microsoft April 2021 Patch Tuesday, (Tue, Apr 13th)

April 13th 2021 at 18:56
This month's score includes 114 Vulnerabilities. There are 19 Criticals this month with 4 previously disclosed and 1 being exploited.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Example of Cleartext Cobalt Strike Traffic (Thanks Brad), (Mon, Apr 12th)

April 12th 2021 at 20:30
Brad has a large collection of malware traffic (thanks Brad :-) ).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

No Python Interpreter? This Simple RAT Installs Its Own Copy, (Fri, Apr 9th)

April 9th 2021 at 06:26
For a while, I'm keeping an eye on malicious Python code targeting Windows environments[1][2]. If Python looks more and more popular, attackers are facing a major issue: Python is not installed by default on most Windows operating systems. Python is often available on developers, system/network administrators, or security teams. Like the proverb says: "You are never better served than by yourself", I found a simple Python backdoor that installs its own copy of the Python interpreter!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Simple Powershell Ransomware Creating a 7Z Archive of your Files, (Thu, Apr 8th)

April 8th 2021 at 07:35
If some ransomware families are based on PE files with complex features, it's easy to write quick-and-dirty ransomware in other languages like Powershell. I found this sample while hunting. I'm pretty confident that this script is a proof-of-concept or still under development because it does not contain all the required components and includes some debugging information.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

WiFi IDS and Private MAC Addresses, (Wed, Apr 7th)

April 7th 2021 at 12:09
I recently came across "nzyme" [1], a WiFi Intrusion Detection System (IDS). Nzyme does focus on WiFi-specific attacks, so it does not care about payload but inspects the 802.11 headers that escape traditional, wired IDSs. It was not terribly hard to get it running on a Raspberry Pi using a Panda USB WiFi adapter.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th)

April 6th 2021 at 16:31
Couple of weeks ago, my phishing/spam trap caught an interesting e-mail carrying what turned out to be a sample of the Lokibot Infostealer.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA and CyberChef: ZIP, (Sun, Apr 4th)

April 4th 2021 at 20:01
When processing the result of "unzip" in CyberChef, for example with YARA rules, all files contained inside the ZIP file, are concatenated together.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Video: YARA and CyberChef, (Sat, Apr 3rd)

April 4th 2021 at 14:48
In diary entry "YARA and CyberChef", I explain how to use YARA rules together with CyberChef.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

C2 Activity: Sandboxes or Real Victims?, (Fri, Apr 2nd)

April 2nd 2021 at 05:13
In my last diary[1], I mentioned that I was able to access screenshots exfiltrated by the malware sample. During the first analysis, there were approximately 460 JPEG files available. I continued to keep an eye on the host and the number slightly increased but not so much. My diary conclusion was that the malware looks popular seeing the number of screenshots but wait… Are we sure that all those screenshots are real victims? I executed the malware in my sandbox and probably other automated analysis tools were used to detonate the malware in a sandbox. This question popped up in my mind: How do have an idea about the ratio of automated tools VS. real victims?
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

April 2021 Forensic Quiz, (Thu, Apr 1st)

April 1st 2021 at 21:43
2021-04-01 21:41 UTC - UPDATE: The domain for the AD environment used in this quiz has been changed to clockwater.net.  We will still accept the original domain listed in the answers from any of the submissions.  We already have 10 submission as I write this.  Thanks to everyone who has participated or will still take part in this quiz!
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Quick Analysis of a Modular InfoStealer, (Wed, Mar 31st)

March 31st 2021 at 08:34
This morning, an interesting phishing email landed in my spam trap. The mail was redacted in Spanish and, as usual, asked the recipient to urgently process the attached document. The filename was "AVISO.001" (This extension is used by multi-volume archives). The archive contained a PE file with a very long name: AVISO11504122921827776385010767000154304736120425314155656824545860211706529881523930427.exe (SHA256:ff834f404b977a475ef56f1fa81cf91f0ac7e07b8d44e0c224861a3287f47c8c). The file is unknown on VT at this time so I did a quick analysis.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Old TLS versions - gone, but not forgotten... well, not really "gone" either, (Tue, Mar 30th)

March 30th 2021 at 08:06
With the recent official deprecation of TLS 1.0 and TLS 1.1 by RFC 8996[1], a step, which has long been in preparation and which was preceded by many recommendations to discontinue the use of both protocols (as well as by the removal of support for them from all mainstream web browsers[2]), one might assume that the use of old TLS versions on the internet would have significantly decreased over the last few months. This has however not been the case.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Jumping into Shellcode, (Mon, Mar 29th)

March 29th 2021 at 06:14
Malware analysis is exciting because you never know what you will find. In previous diaries[1], I already explained why it's important to have a look at groups of interesting Windows API call to detect some behaviors. The classic example is code injection. Usually, it is based on something like this:
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

TCPView v4.0 Released, (Sun, Mar 28th)

March 28th 2021 at 19:24
TCPView is a Sysinternals' tool that displays information about the TCP and UDP endpoints on a system. It's like netstat, but with a GUI.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th)

March 27th 2021 at 17:41
Microsoft describes the "Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. [...] Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension."[6]
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Office macro execution evidence, (Fri, Mar 26th)

March 26th 2021 at 00:02
Microsoft Office Macros continue to be the security nightmare that they have been for the past 3 decades. System and security admins everywhere continue to try to protect their users from prevalent macro malware, but they find Microsoft's tooling often less than helpful.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Submitting pfSense Firewall Logs to DShield, (Thu, Mar 25th)

March 25th 2021 at 00:52
In my previous diaries, I wrote about pfSense firewalls [1], [2]. I hope the diaries have given some insight to current pfSense users, and also inspire individuals who have yet to deploy any form of information security mechanisms in their homes/personal networks to do so. At the SANS Internet Storm Center, we welcome interested participants to submit firewall logs to DShield [3]. In this diary entry, I would like to share how to do so if you are using a pfSense firewall. I also highlight some minor issues I discovered when I was trying set up the DShield pfSense client, and how to resolve them so you can send your logs to DShield successfully. Please remember to do a config backup on your pfSense firewall before changing anything, and test the changes made in a test network before deploying them into the production environment. At this point of writing, all configuration and testing were done on pfSense 2.5.0-RELEASE Community Edition.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Nim Strings, (Mon, Mar 22nd)

March 22nd 2021 at 22:55
On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green


Video: Finding Metasploit & Cobalt Strike URLs, (Sun, Mar 21st)

March 21st 2021 at 00:03
I have a couple of questions on my diary entry "Finding Metasploit & Cobalt Strike URLs", thus I made a video that shows the method and explains in detail the checksum calculation.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

YARA Pre-release v4.1.0, (Sat, Mar 20th)

March 20th 2021 at 22:09
There's a new version of YARA on GitHub, a pre-release for version 4.1.0.
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Pastebin.com Used As a Simple C2 Channel, (Fri, Mar 19th)

March 19th 2021 at 07:50
With the growing threat of ransomware attacks, they are other malicious activities that have less attention today but they remain active. Think about crypto-miners. Yes, attackers continue to mine Monero on compromised systems. I spotted an interesting shell script that installs and runs a crypto-miner (SHA256:00e2ddca696426d9cad992662284d1f28b9ecd44ed7c1be39789417c1ea9a5f2[1]).
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Simple Python Keylogger , (Thu, Mar 18th)

March 18th 2021 at 09:46
A keylogger is one of the core features implemented by many malware to exfiltrate interesting data and learn about the victim. Besides the fact that interesting keystrokes can reveal sensitive information (usernames, passwords, IP addresses, hostnames, ...), just by having a look at the text typed on the keyboard, the attacker can profile his target and estimate if it's a juicy one or not. 
☐ ☆ ✇ SANS Internet Storm Center, InfoCON: green

Defenders, Know Your Operating System Like Attackers Do!, (Wed, Mar 17th)

March 17th 2021 at 07:17
Not a technical diary today but more a reflection… When I’m teaching FOR610[1], I always remind students to “RTFM” or "Read the F… Manual". I mean to not hesitate to have a look at the Microsoft document when they meet an API call for the first time or if they are not sure about the expected parameters.
❌