FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Apple May 2021 Security Updates, (Mon, May 24th)

May 24th 2021 at 20:20
Apple has released several updates for iPhones, iPads, Apple Watches, and Macs earlier today (May 24). Β More details are available on the Apple Security Updates website.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd)

May 23rd 2021 at 00:01
Brad posted another malware analysis with capture file of Cobalt Strike traffic.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

"Serverless" Phishing Campaign, (Sat, May 22nd)

May 22nd 2021 at 07:54
The Internet is full of code snippetsΒ and free resources that you can embed in your projects. SmtpJS is one of those small projects that are very interesting for developers but also bad guys. It's the first time that I spot a phishing campaign that uses this piece of JavaScript code.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st)

May 22nd 2021 at 15:52
[Edited: TheΒ techniqueΒ discussed in this diary is not mine andΒ has been used without proper citation of the original author]
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th)

May 20th 2021 at 23:16
You may have heard sayings like "If it is broken, it is probably a DNS problem. And if it isn't DNS, it is still a DNS problem". Or "Everything that happens on your network is reflected in DNS.". DNS is a great protocol, sometimes shamed for things it can't help itself with, and sometimes forgotten (if it works well). One of the amazing things I find about DNS is all its little nuances and how it all "fits together". I planned this video series a couple months ago, and figured that this would be easy. I know DNS... but each time I look at DNS, I learn something new, so it has taken a while to get the first episodes together, and today I am releasing the first one. No fixed schedule on when they will be released (weekly?... if DNS doesn't prevent me to post them). No fixed end... not done yet considering topics and ideas.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

And Ransomware Just Got a Bit Meaner (yes... it is possible), (Thu, May 20th)

May 20th 2021 at 19:18
Ransomware has been evolving, and each evolution appears to be a bit "meaner" than the first. Early ransomware targeted consumers. Encrypting baby pictures, or tax records, motivated users to pay in some cases a few hundred dollars to get their data back. The attacker went for easy targets and with that for easy money. But as most people dealing with consumers can attest to: Customer support is hard! Many consumers do not know how to use crypto currencies. Even the relatively straightforward Bitcoin payment can be too difficult. And forget about currencies like Monero that are often not traded on mainstream exchanges.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th)

May 18th 2021 at 07:28
I spotted an interesting script on VT a few days ago and it deserves a quick diary because it uses a nice way to execute JavaScript on the targeted system. The technique used in this case is based on very common LOLbin: RunDLL32.exe. The goal of the tool is, as the name says, to load a DLL and execute one of its exported function:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Ransomware Defenses, (Mon, May 17th)

May 17th 2021 at 00:20
Ransomware attacks continue to be in the headlines everywhere, and are also an almost weekly reoccurring subject in the SANS Newsbites. As useful as many of the reports are that security firms and researchers publish on the subject, they often focus heavily on one particular incident or type of ransomware, and the associated "indicators of compromise" (IOCs). We already covered before how IOCs can turn into IOOI's (Indicators of Outdated Intelligence), and how to try to elevate the defense work from detecting IOCs to detecting TTPs (Tactics Techniques and Procedures).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

"Open" Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th)

May 14th 2021 at 05:35
Jan's last diary about the recent attack against the US pipeline[1] was in perfect timing with the quick research I was preparing for a few weeks. If core components of industrial systems are less exposed in the wild, as saidΒ Jan, there is another issue with such infrastructures: remote access tools. Today, buildings, factories, farms must be controlled remotely or sometimes managed by third parties. If Microsoft RDP is common on many networks (and is often the weakest link in a classic attack like ransomware), there is another protocol that is heavily used to remote control industrial systems: VNC ("Virtual Network Computing")[2]. This protocol works with many different operating systems (clients and servers), is simple and efficient. For many companies developing industrial systems,Β ItΒ is a good candidate to offer remote access.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Number of industrial control systems on the internet is lower then in 2020...but still far from zero, (Wed, May 12th)

May 12th 2021 at 11:13
With the recent ransomware attack that impacted operation of one of the major US pipelines[1], I thought it might be a good time to revisit the old topic of internet-connected industrial systems. Since operational technologies are generally used to support/control processes that directly impact the physical world, the danger of successful attacks on them should be self-evident, as should the need to protect them.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft May 2021 Patch Tuesday, (Tue, May 11th)

May 11th 2021 at 23:25
This month we got patches for 55 vulnerabilities. Of these, 4 are critical, 3 were previously disclosed and none is being exploited according to Microsoft.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th)

May 10th 2021 at 12:30
Recently, a number of libraries suffered from a very similar security flaw: IP addresses expressed in octal were not correctly interpreted. The result was that an attacker was able to bypass input validation rules that restricted IP addresses to specific subnets.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Who is Probing the Internet for Research Purposes?, (Sat, May 8th)

May 9th 2021 at 15:32
Shodan[1] is one of the most familiar site for research on what is on the internet. In Oct 2020 I did a diary on Censys [2][3], another site collecting similar information like Shodan. The next two sites are regularly scanning the internet for data which isn't shared with the security community at large.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Exposed Azure Storage Containers, (Fri, May 7th)

May 7th 2021 at 00:02
A couple months ago, we already covered the topic of exposed Azure Blob Storage in two separate ISC diaries, "Exposed Blob Storage in Azure" and "Preventing Exposed Blob Storage in Azure". The information therein is still relevant and valid, so if you are using Azure Storage, and haven't read these two diaries yet, please do.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Alternative Ways To Perform Basic Tasks, (Thu, May 6th)

May 6th 2021 at 05:58
I like to spot techniques used by malware developers to perform basic tasks. We know the lolbins[1] that are pre-installed tools used to perform malicious activities. Many lolbins are used, for example, to download some content from the Internet. Some tools are so powerful that they can also be used to performΒ unexpected tasks. I found an interesting blog article[2] describing how to use curl to copy files!
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick and dirty Python: masscan, (Tue, May 4th)

May 4th 2021 at 20:23
Those who know me are aware that I am a recovering shell programmer.Β  I have 35+ years of various shell scripts involving complicated code pipelines with grep, cut, sort, uniq, awk, input files, output files, redirects, pipes etc...cobbled together to get jobs done. None of it is elegant and little of it could be called pretty. The last couple of years I have been trying to ramp up on Python and am increasingly finding that these complicated shell code scripts can be elegantly implemented in Python. The resulting code is way easier to read and way more supportable.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Important Apple Updates, (Tue, May 4th)

May 4th 2021 at 16:12
On Monday May 3rd, Apple released important updates to macOS Big Sur, iOS and iPadOS, and watchOS to resolve an issue in WebKit which when "Processing maliciously crafted web content may lead to arbitrary code execution."Β  Apple has indicated that this issue is being actively exploited.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd)

May 2nd 2021 at 18:17
Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA Release v4.1.0, (Sat, May 1st)

May 1st 2021 at 21:31
YARA version 4.1.0 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th)

April 30th 2021 at 08:13
A while ago, during the FLARE On 7 challenge last autumn, I had my first experience with the Qiling framework. It helped me to solve the challenge CrackInstaller by Paul Tarter (@Hefrpidge). If you want to read more about this (very interesting) challenge: https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challenge9-solution.pdf.Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

From Python to .Net, (Thu, Apr 29th)

April 29th 2021 at 06:14
The Microsoft operatingΒ system provides the .Net framework[1] to developers. It allows to fully interact with the OS and write powerful applications... but also malicious ones. In a previous diary[2], I talkedΒ about a malicious Python script that interacted with the OS using the ctypes[3] library. Yesterday I found another Python script that interacts with the .Net framework to perform the low-level actions.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Deeper Analyzis of my Last Malicious PowerPoint Add-On, (Wed, Apr 28th)

April 28th 2021 at 05:56
Last week, I wrote a diary about a malicious PowerPoint add-on[1] and I concludedΒ by saying thatΒ I was not able to continue the investigation because the URL found in the macro pointed to a blogspot.com URL. Ron, one of our readers, found that this page was indeed malicious and contained some piece of JavaScript executed by mshta.exe.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Diving into a Singapore Post Phishing E-mail, (Tue, Apr 27th)

April 27th 2021 at 00:26
With the sustained persistence of COVID-19 globally, postal and e-commerce related phishing e-mails remain as one of the most widely favoured methods by adversaries and cybercrime groups. Although postal and shipping companies have often put-up warnings with respect to phishing sites and e-mails (for example Singapore Post [1] and DHL [2]), phishing sites and e-mails continue to be propagated. While organizations continue to deploy technologies and invest in security awareness training to allow better detection of phishing e-mails, individuals who are not particularly IT-savvy could fall prey to such phishing e-mails, especially with respect to their personal e-mail accounts who may not have enterprise phishing protection features. I was recently forwarded one phishing e-mail for a quick look. Unfortunately, by the time I got to it, the phishing page appeared to have been taken down. However, there were some salient points that struck me when I analyzed the contents of the e-mail, and wanted to talk a bit about it so as to increase awareness.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

CAD: .DGN and .MVBA Files, (Mon, Apr 26th)

April 26th 2021 at 19:06
Regularly I receive questions about MicroStation files, since I wrote a diary entry about AutoCAD drawings containing VBA code.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th)

April 25th 2021 at 11:34
New versions of Procmon and Sysmon were released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.4.5 Released, (Sun, Apr 25th)

April 25th 2021 at 11:05
Wireshark version 3.4.5 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Base64 Hashes Used in Web Scanning, (Sat, Apr 24th)

April 24th 2021 at 16:06
I have honeypot activity logs going back to May 2018 and I was curious what type of username:password combination was stored in the web traffic logs following either the Proxy-Authorization: Basic or Authorization: Basic in each logs. This graph illustrate an increase in web scanning activity for username:password over the past 3 years.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Malicious PowerPoint Add-On: "Small Is Beautiful", (Fri, Apr 23rd)

April 23rd 2021 at 05:45
Yesterday I spotted a DHL-branded phishing campaign that used a PowerPoint file to compromise the victim. The malicious attachment is a PowerPoint add-in. This technique is not new, I already analyzed such a sample in a previous diary[1]. The filename is "dhl-shipment-notification-6207428452.ppt" (SHA256:934df0be5a13def81901b075f07f3d1f141056a406204d53f2f72ae53f583341) and has a VT score of 18/60[2].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

How Safe Are Your Docker Images?, (Thu, Apr 22nd)

April 22nd 2021 at 07:21
Today, I don't know any organization that is not using Docker today. For only test and development only or to full production systems, containers are deployed everywhere! In the same way, most popular tools today have a "dockerized" version ready to use, sometimes maintained by the developers themselves, sometimes maintained by third parties. An example is the Docker container that I created with all Didier's tools[1]. Today, we are also facing a new threat: supply chain attacks (think about Solarwinds or, more recently, CodeCov[2]). Let's mix the attraction for container technologies and this threat, we realize that Β Docker images are a great way to compromise an organization!Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A Case for Lockdown and Isolation (and not the Covid kind), (Wed, Apr 21st)

April 21st 2021 at 16:59
A reader wrote in expressing concerns over a vendor software management platform that had 3rd party module vulnerabilities [1]. Reasonable risk assessment if you ask me. This comes along with the two "One Liners'' we posted yesterday [2] [3]. This sounds like a case for isolation and or lockdown. Considering 2021's climate, let's be clear here, Digital not Physical :).
❌