News
ISC Stormcast For Wednesday, August 5th 2020 https://isc.sans.edu/podcastdetail.html?id=7110, (Wed, Aug 5th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreTraffic Analysis Quiz: What's the Malware From This Infection?, (Wed, Aug 5th)
Introduction Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host. Download the pcap from this page, which also has the alerts. Don’t open or review the alerts yet, because they give away the answer. Meanwhile, I’ll provide the requirements […]
Read moreIssue #61 – Volume XXII – SANS Newsbites – August 4th, 2020
Reposted from SANS NewsBites. Click here to read the original posting.
Read moreInternet Choke Points: Concentration of Authoritative Name Servers, (Tue, Aug 4th)
A utopian vision of the Internet often describes it as a distributed partnership of equals giving everybody the ability to publish and discover information worldwide. This open, democratic Internet is often little more than an imaginary legacy construct that may have existed at some time in the distant past, if ever. Reality: Today, the Internet […]
Read moreReminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th)
Just a quick reminder: We are continuing to see small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The exploit is rather simple and currently used to find vulnerable systems by reading benign LUA source code files. Example attempts: GET […]
Read moreISC Stormcast For Tuesday, August 4th 2020 https://isc.sans.edu/podcastdetail.html?id=7108, (Tue, Aug 4th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read morePowershell Bot with Multiple C2 Protocols, (Mon, Aug 3rd)
I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique[1]). I don’t have the original document but based on a technique used in the macro, it is part […]
Read moreISC Stormcast For Monday, August 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=7106, (Mon, Aug 3rd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.
Read moreSmall Challenge: A Simple Word Maldoc, (Sun, Aug 2nd)
A reader submitted malicious Word document deed contract,07.20.doc (also uploaded the Malware Bazaar). There are a couple of interesting aspects to this document. The first, that I will point out here, is that the VBA code is quite simple. The code is quite short. And there is string obfuscation. In this diary, I’m not going […]
Read moreWhat pages do bad bots look for?, (Sat, Aug 1st)
I’ve been wondering for some time now about what pages and paths are visited the most by “bad” bots – scrapers, data harvesters and other automated scanners which disregards the exclusions set in robots.txt[1]. To determine this, I’ve set up a little experiment – I placed robots.txt on one of my domains, which disallowed access […]
Read more
