Category: SANS Full Feed

Sensors reporting firewall logs detected a significant increase in scans for port 8530/TCP and 8531/TCP over the course of last week. Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses. CVE-2025-59287 is exploited by connecting to affected WSUS servers…

Read More

This week, I noticed some new HTTP request headers that I had not seen before: X-Request-Purpose: Research and X-Hackerone-Research: plusultra X-Bugcrowd-Ninja: plusultra X-Bug-Hunter: true The purpose of these headers appears to be to identify them as being sent as part of a bug bounty. Some companies request the use of these headers as part of…

Read More

I’ve been doing Unix/Linux IR and Forensics for a long time. I logged into a Unix system for the first time in 1983. That’s one of the reasons I love teaching FOR577[1], because I have stories that go back to before some of my students were even born that are still relevant today. In recent…

Read More

While reviewing malicious messages that were delivered to our handler inbox over the past few days, I noticed that the “subject” of one phishing e-mail looked quite strange when displayed in the Outlook message list… As you can see, once the message was open, the subject was displayed as a normal, readable text. This suggested…

Read More

I was intrigued when Johannes talked about malware that uses BASE64 over DNS to communicate. Take a DNS request like this: label1.label2.tld. Labels in a request like this can only be composed with letters (not case-sensitive), digits and a hyphen character (-). While BASE64 is encoded with letters (uppercase and lowercase), digits and special characters +…

Read More