What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2022-11-29 16:04:44 | Packet Tuesday Episode 3: TCP Urgent Flag. https://packettuesday.com , (Tue, Nov 29th) (lien direct) | --- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter| | ★★★ | ||
|
2022-11-29 15:46:37 | Identifying Groups of "Bot" Accounts on LinkedIn, (Tue, Nov 29th) (lien direct) | As some have noted, LinkedIn has recently removed many accounts after identifying them as "bots" or "disingenuous" [1]. These removals are relatively easy to spot if they affect large companies like Amazon, Apple, and others. But they are a bit more challenging to spot if the fake accounts claim to work for smaller, relatively unknown companies. | Threat | ★★★ | |
|
2022-11-28 12:36:18 | Ukraine Themed Twitter Spam Pushing iOS Scareware, (Mon, Nov 28th) (lien direct) | With the expansion of Russia&#;x26;#;39;s invasion of Ukraine in February, Ukraine has made heavy use of social media to demonstrate die ability of the Ukrainian armed forces to repulse the attack. Ukraine often shares video clips showing attacks against Russian troops from drones or action camera footage from the front lines. These videos have been widely distributed, and various social media channels have shared them to build an audience for themselves. | Spam | ★★ | |
|
2022-11-25 18:46:46 | Happy 22nd Birthday DShield.org!, (Fri, Nov 25th) (lien direct) | Traditionally, I consider the Thanksgiving weekend of 2000 the "Birthday" of DShield. I coded the first version of DShield over that weekend and made it public soon after. My records aren&#;x26;#;39;t that great, but here is an early screenshot of DShield.org courtesy of archive.org. There are a couple earlier once, but they are a bit too embarassing to post here :). What is now the Internet Storm Center was known as incidents.org back then. | ★★ | ||
|
2022-11-24 08:13:01 | Attackers Keep Phishing Victims Under Stress, (Thu, Nov 24th) (lien direct) | Phishing campaigns are very common today, we receive many phishing attempts per day. Why attackers are still flooding our mailboxes with such emails? Because it sill works, and the "return on investment" of sending millions is reached even if only a few victims are lured. However, attackers are always looking for new techniques to make people confident that the message is legit. Many phishing campaigns are pretty well prepared, and the fake mail you receive looks exactly like an official one. Multiple times, I was pretty close to click on a link... Yes, we are all poor humans! | ★★★★ | ||
|
2022-11-22 17:57:03 | Packet Tuesday: Episode 2 - Extended DNS Option Type 0 , (Tue, Nov 22nd) (lien direct) | Enjoy the second episode of Packet Tuesday. Staying with DNS for this episode (don&#;x26;#;39;t worry: Episode 3 will not be about DNS) | ★★★★ | ||
|
2022-11-21 20:48:27 | Log4Shell campaigns are using Nashorn to get reverse shell on victim\'s machines, (Mon, Nov 21st) (lien direct) | Almost one year later, Log4Shell attacks are still alive and making victims. Log4shell, as you may remember, was the name given to a remote code execution (RCE) vulnerability in the Apache Log4j Java library, first known on December 10th, 2021.  Information on the zero-day (CVE-2021-44228) and malicious campaigns using it were covered here in SANS ISC in different diaries like here and here. | Vulnerability | ||
|
2022-11-20 00:02:43 | McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th) (lien direct) | Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?). The overall content of this email is simple and direct to the point and is similar to something Xavier posted earlier this year [1]. | |||
|
2022-11-17 15:16:05 | Lessons Learned from Automatic Failover: When 8.8.8.8 "disappears". IPv6 to the Rescue?, (Thu, Nov 17th) (lien direct) | A famous XKCD cartoon talks about the importance of the often taken for granted "8.8.8.8" Google DNS server. Like many, I use it often as a quick connectivity check. 8.8.8.8 is an anycast address that exists many times around the globe. I also started to use it for automatic failover on my OPNSense firewall/router. | |||
|
2022-11-16 18:15:23 | Evil Maid Attacks - Remediation for the Cheap, (Wed, Nov 16th) (lien direct) | [This is a guest diary submitted by Gebhard. For feedback, you can connect with Gebhard via our DShield slack] | |||
|
2022-11-15 17:17:06 | Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) (lien direct) | A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. For future videos, please subscribe to the YouTube channel. I will also use PacketTuesday.com for videos and related materials. There is usually a PCAP file to go with each video. | |||
|
2022-11-14 02:35:27 | Extracting \'HTTP CONNECT\' Requests with Python, (Mon, Nov 14th) (lien direct) | Seeing abnormal Suricata alerts isn't too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts. | |||
|
2022-11-12 13:15:59 | Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) (lien direct) | I recorded a video for this diary entry. | |||
|
2022-11-11 08:35:36 | Update: IPv4 Address Representations, (Fri, Nov 11th) (lien direct) | I got feed back via Twitter on my diary entry "IPv4 Address Representations": CyberChef&#;x26;#;39;s operation Change IP Format does transform IPv4 representations. | |||
|
2022-11-10 10:48:11 | Do you collect "Observables" or "IOCs"?, (Thu, Nov 10th) (lien direct) | Indicators of Compromise, or IOCs,&#;x26;#;xc2;&#;x26;#;xa0;are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities&#;x26;#;xc2;&#;x26;#;xa0;or malware analysis. About the last example, the&#;x26;#;xc2;&#;x26;#;xa0;malware analyst&#;x26;#;39;s goal is&#;x26;#;xc2;&#;x26;#;xa0;identify how the malware is behaving and how to indentify it. | Malware Threat | ||
|
2022-11-09 02:27:20 | Another Script-Based Ransomware, (Wed, Nov 9th) (lien direct) | In the past, I already found some script-based ransomware samples written in Python or Powershell[1]. The last one I found was only a “proof-of-concept†(my guess) but it demonstrates how easy such malware can be developed and how they remain undetected by most antivirus products. | Ransomware Malware | ||
|
2022-11-08 18:41:13 | (Déjà vu) Microsoft November 2022 Patch Tuesday, (Tue, Nov 8th) (lien direct) | This month we got patches for 68 vulnerabilities. Of these, 10 are critical, 1 was previously disclosed, and 4 are already being exploited, according to Microsoft. | |||
|
2022-11-06 10:56:42 | IPv4 Address Representations, (Sun, Nov 6th) (lien direct) | A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to. | |||
|
2022-11-05 22:02:59 | Windows Malware with VHD Extension, (Sat, Nov 5th) (lien direct) | Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file. | Malware | ||
|
2022-11-04 07:08:23 | Remcos Downloader with Unicode Obfuscation, (Fri, Nov 4th) (lien direct) | I spotted a malicious RAR archive that contained a VBS script. It was called “Unidad judicial citacion pendiente Fiscalia.rar†and protected with a simple 4-numbers password to defeat automatic scanning. Inside, the VBS script has the same name. Both are unknown to VT. | |||
|
2022-11-03 01:29:48 | Breakpoints in Burp, (Wed, Nov 2nd) (lien direct) | No, this is not a story about the Canadian Thanksgiving long weekend, it&#;x26;#;39;s about web application testing. I recently had a web application to assess, and I used Burp Suite Pro as part of that project. Burp is one of my favourite tools to aim at a website, it does a lot of the up-front "test everything" grunt work for you so you can then focus on the details that are most important. | |||
|
2022-11-02 05:07:52 | Who put the "Dark" in DarkVNC?, (Wed, Nov 2nd) (lien direct) | Introduction | |||
|
2022-11-01 15:59:18 | Critical OpenSSL 3.0 Update Released. Patches CVE-2022-3786, (Tue, Nov 1st) (lien direct) | As preannounced, OpenSSL released version 3.0.7, which patches a critical vulnerability. OpenSSL 3.0 was initially released in September of last year. | ★★ | ||
|
2022-10-31 01:52:42 | NMAP without NMAP - Port Testing and Scanning with PowerShell, (Mon, Oct 31st) (lien direct) | Ever needed to do a portscan and didn&#;x26;#;39;t have nmap installed? I&#;x26;#;39;ve had this more than once on an internal pentest or more often just on run-rate "is that port open? / is there a host firewall in the way?" testing. | |||
|
2022-10-30 09:13:45 | Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11, (Sun, Oct 30th) (lien direct) | Sysinternals tools updates have been released for | |||
|
2022-10-29 14:07:37 | Quickie: CyberChef & Microsoft Script Decoding, (Sat, Oct 29th) (lien direct) | This week I discovered a CyberChef operation I didn&#;x26;#;39;t know existed, but I&#;x26;#;39;m quite familiar with the algorythm: "Microsoft Script Decoder" (it&#;x26;#;39;s been there at least since 2017). | |||
|
2022-10-27 22:52:34 | Supersizing your DUO and 365 Integration, (Thu, Oct 27th) (lien direct) | ||||
|
2022-10-27 14:06:50 | Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) (lien direct) | Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open source projects to rethink how they address security issues and how they communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time. | Vulnerability Patching | ||
|
2022-10-26 13:09:23 | Why is My Cat Using Baidu? And Other IoT DNS Oddities, (Wed, Oct 26th) (lien direct) |  My cat, Gluon, is having a problem. Last year, a new cat, Einstein, invaded her property, and since then, she has no longer ventured outside after some unfortunate encounters with Einstein. Gluon now spends most of her time inside doing cat stuff like grooming and sleeping; unfortunately, she has gained an unhealthy amount of weight. To help, we got her an automated cat feeder to better control her food intake. The cat feeder is sporting not just the obligatory WiFi and Cloud/App connectivity but also a camera, so it was immediately moved to our "IoT" network.
|
|||
|
2022-10-25 00:22:44 | Apple Patches Everything: October 2022 Edition, (Tue, Oct 25th) (lien direct) | A quick summary of Apple&#;x26;#;39;s pretty massive patch day today. With the release of a new version of macOS, and updates for all operating systems Apple publishes, we got a total of 106 vulnerabilities. As before with Apple, the rating (critical/important) is our own and not based on a CVSS score, as Apple publishes non. I typically rate privilege escalation, like flaws, as important and code execution flaws as critical. Let me know if you disagree with the rating. "other" just means that I didn&#;x26;#;39;t get around to rate the particular issue or that it affects multiple vulnerabilities. | |||
|
2022-10-24 07:12:13 | C2 Communications Through outlook.com, (Mon, Oct 24th) (lien direct) | Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. | Malware | ||
|
2022-10-23 00:02:40 | Video: PNG Analysis, (Sun, Oct 23rd) (lien direct) | Here is a video for my diary entry "PNG Analysis". | |||
|
2022-10-22 20:30:51 | rtfdump\'s Find Option, (Sat, Oct 22nd) (lien direct) | Due to the nature of the RTF language, malicious RTF files can be very obfuscated. | |||
|
2022-10-21 00:03:49 | sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) (lien direct) | Introduction | Malware | ||
|
2022-10-20 14:08:02 | Forensic Value of Prefetch, (Thu, Oct 20th) (lien direct) | [This is a guest diary submitted by Logan Flook] When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation. | |||
|
2022-10-19 11:57:59 | Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th) (lien direct) | I&#;x26;#;39;m in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc. | |||
|
2022-10-18 05:11:17 | Python Obfuscation for Dummies, (Tue, Oct 18th) (lien direct) | Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: | |||
|
2022-10-17 10:05:24 | Fileless Powershell Dropper, (Mon, Oct 17th) (lien direct) | I found an interesting Powershell script that drops a malware on the victim&#;x26;#;39;s computer. The dropped malware is not new (It&#;x26;#;39;s kinda old, though) but the dropper has a very low Virustotal score. The script was detected by one of my hunting rules on VT. It is called "autopowershell.ps1" and has only a score of 3/61 (SHA256:3750576978bfd204c5ac42ee70fb5c21841899878bacc37151370d23e750f8c4)[1]. By "fileless", it means that the malware tries to reduce at the minimum interactions with the file system. But, to achieve persistence, it must write something on the disk. Most of the time, it&#;x26;#;39;s done through registry keys. That&#;x26;#;39;s what happens with this sample: | Malware | ||
|
2022-10-16 07:25:05 | Video: Analysis of a Malicious HTML File (QBot), (Sun, Oct 16th) (lien direct) | I made a video for diary entry "Analysis of a Malicious HTML File (QBot)": | |||
|
2022-10-15 22:41:34 | Malware - Covid Vaccination Supplier Declaration, (Sat, Oct 15th) (lien direct) | This week&#;x26;#;39;s email is all about Covid for all suppliers to declare their vaccination status, but the date is almost 1 year old. | |||
|
2022-10-13 17:37:42 | Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th) (lien direct) | Reader Eric submitted a malicious HTML page that contains BASE64 images with malware. | |||
|
2022-10-12 09:15:26 | Scans for old Fortigate Vulnerability: Building Target Lists?, (Wed, Oct 12th) (lien direct) | This last few days, I saw a few requests associated with an older Fortigate vulnerability hitting our honeypots: | Vulnerability | ||
|
2022-10-11 17:22:43 | October 2022 Microsoft Patch Tuesday, (Tue, Oct 11th) (lien direct) | Microsoft today released patches for 96 vulnerabilities. 13 patches are rated as critical, 71 as important and 1 as moderate. The Chromium vulnerabilities affecting Microsoft Edge have no rating. | |||
|
2022-10-10 06:05:20 | Wireshark: Specifying a Protocol Stack Layer in Display Filters, (Mon, Oct 10th) (lien direct) | The release of Wireshark 4.0.0 brings many new features, especially for the display filter syntax. | |||
|
2022-10-09 17:57:45 | Curl\'s resolve Option, (Sun, Oct 9th) (lien direct) | Someone at the BruCON conference told me that curl has a better option to handle the issues I talked about in my diary entry "Downloading Samples From Takendown Domains". | |||
|
2022-10-08 07:46:31 | Wireshark 4.0.0 Released, (Sat, Oct 8th) (lien direct) | Wireshark 4.0.0 was released. As announced here before, Windows 32-bit executables are no longer included in Wireshark releases starting with this release. | |||
|
2022-10-08 07:29:36 | Sysmon v14.1 Release, (Sat, Oct 8th) (lien direct) | This new release of Sysmon brings another blocking feature: FileBlockShredding. This prevents wiping tools like sdelete to shred files. | |||
|
2022-10-07 14:34:23 | Critical Fortinet Vulnerability Ahead, (Fri, Oct 7th) (lien direct) | Fortinet has contacted[1] its customers to update as soon as possible to the latest version of their firewall (Fortigate) and proxies (FortiProxy) to fix a critical vulnerability. Assigned %%cve:2022-40684%%, it is related to an authentication bypass on the administrative interface. | Vulnerability | ||
|
2022-10-07 06:21:03 | Powershell Backdoor with DGA Capability, (Fri, Oct 7th) (lien direct) | DGA (“Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server. Attackers just register a few domain names and can change them very quickly. | Malware | ||
|
2022-10-06 17:07:19 | What is in your Infosec Calendar? , (Thu, Oct 6th) (lien direct) | Lately, I have been toying with the idea of creating an "infosec calendar" with activities to perform regularly. The calendar would be more targeted at home users and enthusiasts, certainly not at enterprises, but they may develop their own based on some of these ideas. |
To see everything:
Our RSS (filtrered)
