Category: SANS Internet Storm Center, InfoCON: green

From JavaScript to AsyncRAT, (Thu, Mar 28th)

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: From JavaScript to AsyncRAT, (Thu, Mar 28th)

Scans for Apache OfBiz, (Wed, Mar 27th)

Today, I noticed in our “first seen URL” list, two URLs I didn't immediately recognize: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Scans for Apache OfBiz, (Wed, Mar 27th)

New tool: linux-pkgs.sh, (Sun, Mar 24th)

During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and…

1768.py’s Experimental Mode, (Sat, Mar 23rd)

The reason I extracted a PE file in my last diary entry, is that I discovered it was the dropper of a Cobalt Strike beacon @DebugPrivilege had pointed me to. My 1768.py tool crashed on the process memory dump. This…

Whois “geofeed” Data, (Thu, Mar 21st)

Attributing a particular IP address to a specific location is hard and often fails miserably. There are several difficulties that I have talked about before: Out-of-date whois data, data that is outright fake, or was never correct in the first…

Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th)

Late last week, an exploit surfaced on GitHub for CVE-2024-21762 [1]. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch [2]. A few days prior to the GitHub…

Attacker Hunting Firewalls, (Tue, Mar 19th)

Firewalls and other perimeter devices are a huge target these days. Ivanti, Forigate, Citrix, and others offer plenty of difficult-to-patch vulnerabilities for attackers to exploit. Ransomware actors and others are always on the lookout for new victims. However, being and…

Obfuscated Hexadecimal Payload, (Sat, Mar 16th)

This PE file contains an obfuscated hexadecimal-encoded payload. When I analyze it with base64dump.py searching for all supported encodings, a very long payload is detected: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original…

5Ghoul Revisited: Three Months Later, (Fri, Mar 15th)

About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary [1]. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting…

Microsoft Patch Tuesday – March 2024, (Tue, Mar 12th)

This month's patches are oddly “light”. We have patches for 60 vulnerabilities and 4 Chromium patches affecting Microsoft Edge. But only two of the vulnerabilities are rated as “Critical”: This article has been indexed from SANS Internet Storm Center, InfoCON:…

Why Your Firewall Will Kill You, (Tue, Mar 5th)

The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years,…

Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th)

Last week, the US Department of Justice published a press release entitled “Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation&#x27s Main Intelligence Directorate of the General Staff (GRU)” [1]. The disruption targeted a botnet built using…

Takes Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th)

Last week, the US Department of Justice published a press release entitled “Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation&#x27s Main Intelligence Directorate of the General Staff (GRU)” [1]. The disruption targeted a botnet built using…

Update: MGLNDD_* Scans, (Sat, Feb 24th)

Almost 2 years ago, a reader asked us about TCP connections they observed. The data of these TCP connections starts with “MGLNDD_”: “MGLNDD_* Scans”. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Apple Patches for CVE-2021-30807, (Tue, Jul 27th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green Apple has released another update (previous update was only about 5 days ago) to address CVE-2021-30807 that was discovered by an anonymous researcher. This update resolves an issue…

Failed Malspam: Recovering The Password, (Mon, Jul 26th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green Jan's diary entry “One way to fail at malspam – give recipients the wrong password for an encrypted attachment” got my attention: it's an opportunity for me to…

Lost in the Cloud: Akamai DNS Outage, (Thu, Jul 22nd)

This article has been indexed from SANS Internet Storm Center, InfoCON: green As we already got a number of notes from readers: Currently, Akamai's DNS service appears to experience an outage that affects numerous other large websites. Read the…

Video: CyberChef BASE85 Decoding, (Sun, Jul 18th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green In this video, I show how to decode the sample of Xavier's diary entry “Multiple BaseXX Obfuscations” with CyberChef. Read the original article: Video: CyberChef BASE85 Decoding, (Sun,…

BASE85 Decoding With base64dump.py, (Sat, Jul 17th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green Xavier's diary entry “Multiple BaseXX Obfuscations” covers a malicious script that is encoded with different “base” encodings. Xavier starts with my tool base64dump.py, but he can not do…

Multiple BaseXX Obfuscations, (Fri, Jul 16th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green I found an interesting malicious Python script during my daily hunting routine. The script has a VT score of 2/58[1] (SHA256: 6990298edd0d66850578bfd1e1b9d42abfe7a8d1deb828ef0c7017281ee7c5b7). Its purpose is to perform the…

Microsoft July 2021 Patch Tuesday, (Tue, Jul 13th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green This month we got patches for 117 vulnerabilities. Of these, 13 are critical, 6 were previously disclosed and 4 are being exploited according to Microsoft. Read the original…

Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green Microsoft today released patches for CVE-2021-34527, the vulnerability also known as “printnightmare”. Patches are currently available for these versions of Windows: Read the original article: Microsoft Releases Patches…

Python DLL Injection Check, (Tue, Jul 6th)

This article has been indexed from SANS Internet Storm Center, InfoCON: green They are many security tools that inject DLL into processes running on a Windows system. The classic examples are anti-virus products. They like to inject plenty of code…

Finding Strings With oledump.py, (Sat, Jul 3rd)

This article has been indexed from SANS Internet Storm Center, InfoCON: green In diary entry “CFBF Files Strings Analysis” I show how to extract strings from CFBF/ole files with my tool oledump.py. Read the original article: Finding Strings With oledump.py,…

Kaseya VSA Users Hit by Ransomware, (Fri, Jul 2nd)

This article has been indexed from SANS Internet Storm Center, InfoCON: green We are aware that some MSSP's customers (Managed Security Services Providers) have been hit by a ransomware. It seems that four(4) MSSP's have been affected until now. The…

“inception.py”… Multiple Base64 Encodings, (Fri, Jul 2nd)

This article has been indexed from SANS Internet Storm Center, InfoCON: green “Inception” is a very nice SF movie in which, if you did not watch it, dreams are implemented in people's minds to help to get access to sensitive information…