Category: SANS Internet Storm Center, InfoCON: green

I spotted another interesting file that uses, once again, steganography. It seems to be a trend (see one of my previous diaries[1]). The file is an malicious Excel sheet called blcopy.xls. Office documents are rare these days because Microsoft improved…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, June 13th, 2025…

Read more →

[This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

[This is a Guest Diary by William Constantino, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Automated Tools to Assist with DShield…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, June 12th, 2025…

Read more →

RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, June 11th, 2025…

Read more →

Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today. This article has been indexed from SANS Internet Storm Center, InfoCON:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: 
OctoSQL & Vulnerability Data, (Sun, Jun 8th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, June 10th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: OctoSQL & Vulnerability Data, (Sun, Jun 8th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, June 9th, 2025…

Read more →

Wireshark release 4.4.7 fixes 1 vulnerability (%%cve:2025-5601%%) and 8 bugs. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4.7 Released, (Sun, Jun 8th)

Read more →

Inspired by Xavier's diary entry “A PNG Image With an Embedded Gift”, I updated my pngdump.py program to enable the extraction of chunks and extra data (similar to my other analysis tools, like pngdump.py). This article has been indexed from…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, June 6th, 2025…

Read more →

There are some upcoming DShield honeypot [1] changes that introduce some opportunities for additional customization and data analysis. For most users, no additional actions are needed. A couple of those changes: This article has been indexed from SANS Internet Storm…

Read more →

Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution),…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, June 5th, 2025…

Read more →

I recently came across an interesting phishing e-mail. At first glance, it looked like a “normal” phishing that tried to pass itself off as a message from one of the Czech banks asking account holders to update their information… This…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, June 4th, 2025…

Read more →

Last week, Ryan Dewhurst disclosed an interesting and easily exploitable vulnerability in vBulltin. These days, bulletin boards are not quite as popular as they used to be, but they are still being used, and vBulletin is one of the most…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, June 3rd, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, June 2nd, 2025…

Read more →

For most system and network administrators, the free SSH client Putty has been their best friend for years! This tool was also (ab)used by attackers that deployed a trojanized version[1]. Microsoft had the good idea to include OpenSSH (beta version)…

Read more →

YARA 4.5.3 was released with 5 bugfixes. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA 4.5.3 Release, (Sun, Jun 1st)

Read more →

While hunting, I found an interesting picture. It's a PNG file that was concatenated with two interesting payloads. There are file formats that are good candidates to have data added at the end of the file. PNG is the case…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, May 30th, 2025…

Read more →

DShield honeypots [1] receive different types of attack traffic and the volume of that traffic can change over time. I've been collecting data from a half dozen honeypots for a little over a year to make comparisons. This data includes: …

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, May 29th, 2025…

Read more →

[This is a Guest Diary by Ehsaan Mavani, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Alternate Data Streams ? Adversary Defense…

Read more →

[This is a Guest Diary by Jennifer Wilson, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, May 28th, 2025…

Read more →

This is nothing “amazingly new”, but more of a reminder to secure your “authorized_keys” file for SSH. One of the first things I see even simple bots do to obtain persistent access to a UNIX system is to add a…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, May 27th, 2025…

Read more →

Didier recently published several diaries related to steganography. I have to admit that steganography isn't exactly my favorite topic. It is one of those “neat” infosec toys, but its applicability is limited. Data exfiltration usually does not require proper steganography,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, May 23rd, 2025…

Read more →

If you are reading this, you are probably someone who will not easily go without internet connectivity for an extended amount of time. You may also have various home systems that you would like to be able to reach in…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, May 22nd, 2025…

Read more →

In February, we had a few diaries about crypto wallet scams. We saw these scams use YouTube comments, but they happened via other platforms and messaging systems, not just YouTube [1]. The scam was a bit convoluted: The scammer posted…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, May 21st, 2025…

Read more →

We have been using our data to identify researchers scanning the internet for a few years. Currently, we are tracking 36 groups performing such scans, and our data feed of the IP addresses used contains around 33k addresses [1]. …

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, May 20th, 2025…

Read more →

Like .Net, AutoIT[1] remains a popular language for years in the malware ecosystem. It's a simple language that can interact with all the components of the Windows operating system. I regularly discover AutoIT3 binaries (yes, it can be compiled). This…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, May 19th, 2025…

Read more →

A couple years ago I published tool xorsearch.py for this diary entry: “Small Challenge: A Simple Word Maldoc – Part 4”. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: xorsearch.py: Python Functions,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, May 16th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, May 15th, 2025…

Read more →

I published on the 29 Apr 2025 a diary [1] on scanning activity looking for SonicWall and since this publication this activity has grown 10-fold. Over the past 14 days, several BACS students have reported activity related to SonicWall scans…

Read more →

A couple of weeks ago, I came across a phishing campaign that highlights a recurring issue with open redirect vulnerabilities in well-known and trusted services. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, May 14th, 2025…

Read more →

Today, Microsoft released its expected update for the May patch on Tuesday. This update fixes 78 vulnerabilities. 11 are rated as critical, and 66 as important. Five of the vulnerabilities have already been exploited and two were publicly known but…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, May 13th, 2025…

Read more →

Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem. This article has been indexed from…

Read more →

Unipi Technologies is a company developing programmable logic controllers for a number of different applications like home automation, building management, and industrial controls. The modules produced by Unipi are likely to appeal to a more professional audience. All modules are…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, May 12th, 2025…

Read more →

When I tried to solve “Steganography Challenge” with the same method as I used in “Steganography Analysis With pngdump.py: Bitstreams”, I couldn't recover the text message. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, May 9th, 2025…

Read more →

This quick diary is a perfect example of why I love Linux (or UNIX in general) operating system. There is always a way to “escape” settings imposed by an admin… This article has been indexed from SANS Internet Storm Center,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, May 8th, 2025…

Read more →

Developers (of malware as well as goodware) don't have to reinvent the wheel all the time. Why rewrite a piece of code that was development by someone else? In the same way, all operating systems provide API calls (or system…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, May 7th, 2025…

Read more →

Infostealers are everywhere for a while now. If this kind of malware is not aggressive, their impact can be much more impacting to the victim. Attackers need always more and more data to be sold or reused in deeper scenarios.…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, May 6th, 2025…

Read more →

Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected systems: This article has been indexed from SANS Internet Storm Center, InfoCON:…

Read more →

Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected systems: This article has been indexed from SANS Internet Storm Center, InfoCON:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, May 5th, 2025…

Read more →

If you are interested in experimenting with steganography and my tools, I propose the following challenge. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Steganography Challenge, (Sat, May 3rd)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, May 2nd, 2025…

Read more →

A friend asked me if my pngdump.py tool can extract individual bits from an image (cfr. diary entry “Steganography Analysis With pngdump.py”). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Steganography Analysis…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, May 1st, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, April 30th, 2025…

Read more →

There was a post initially published in January 2022 showing an exploitable “probable zero-day vulnerabilities”[1] for Sonicwall but looking back in what has been submitted in the past year to ISC, this past week was the first time we have…

Read more →

Last week, I wrote about scans for Teltonika Networks SMS Gateways. Attackers are always looking for cheap (free) ways to send SMS messages and gain access to not-blocklisted numbers. So, I took a closer look at similar scans we have…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, April 29th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, April 28th, 2025…

Read more →

body { font-family: Arial, sans-serif; line-height: 1.6; margin: 20px; } This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics, (Sun, Apr 27th)

Read more →

I like it when a diary entry like “Example of a Payload Delivered Through Steganography” is published: it gives me an opportunity to test my tools, in particular pngdump.py, a tool to analyze PNG files. This article has been indexed…

Read more →

In this diary, I&#x27ll show you a practical example of how steganography is used to hide payloads (or other suspicious data) from security tools and Security Analysts&#x27 eyes. Steganography can be defined like this: It is the art and science…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, April 25th, 2025…

Read more →

Ever wonder where all the SMS spam comes from? If you are trying to send SMS “at scale,” there are a few options: You could sign up for a messaging provider like Twilio, the AWS SNS service, or several similar…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, April 24th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, April 23rd, 2025…

Read more →

In the last week I ran into some issues that I hadn't anticipated: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Honeypot Iptables Maintenance and DShield-SIEM Logging, (Wed, Apr 23rd)

Read more →

In diary entry “xorsearch.py: Searching With Regexes” I showed how one can let xorsearch.py generate a YARA rule with a given regular expression. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: xorsearch.py:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, April 22nd, 2025…

Read more →

While the old adage stating that “the human factor is the weakest link in the cyber security chain” will undoubtedly stay relevant in the near (and possibly far) future, the truth is that the tech industry could – and should…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, April 21st, 2025…

Read more →

Wireshark release 4.4.6 fixes 14 bugs. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4.6 Released, (Sun, Apr 20th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, April 18th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, April 17th, 2025…

Read more →

[This is a Guest Diary by Jacob Claycamp, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: RedTail, Remnux and Malware Management [Guest…

Read more →

This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Apple Patches Exploited Vulnerability, (Wed, Apr 16th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, April 16th, 2025…

Read more →

If Attackers can abuse free online services, they will do for sure! Why spend time to deploy a C2 infrastructure if you have plenty of ways to use “official” services. Not only, they don't cost any money but the traffic…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, April 15th, 2025…

Read more →

As promised in diary entry “XORsearch: Searching With Regexes”, I will outline another method to search with xorsearch and regexes. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: xorsearch.py: Searching With Regexes,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, April 14th, 2025…

Read more →

Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the “Bug Fixes” addresses a major vulnerability. Instead, the release notes state, “auth current user on code validation.”…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, April 11th, 2025…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, April 10th, 2025…

Read more →