News

ISC Stormcast For Wednesday, August 5th 2020 https://isc.sans.edu/podcastdetail.html?id=7110, (Wed, Aug 5th)

Published August 4, 2020

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Traffic Analysis Quiz: What's the Malware From This Infection?, (Wed, Aug 5th)

Published August 4, 2020

Introduction Today’s diary is a traffic analysis quiz where you try to identify the malware based on a pcap of traffic from an infected Windows host.  Download the pcap from this page, which also has the alerts.  Don’t open or review the alerts yet, because they give away the answer. Meanwhile, I’ll provide the requirements […]

Read more

Issue #61 – Volume XXII – SANS Newsbites – August 4th, 2020

Published August 4, 2020

Reposted from SANS NewsBites. Click here to read the original posting.

Read more

Internet Choke Points: Concentration of Authoritative Name Servers, (Tue, Aug 4th)

Published August 4, 2020

A utopian vision of the Internet often describes it as a distributed partnership of equals giving everybody the ability to publish and discover information worldwide. This open, democratic Internet is often little more than an imaginary legacy construct that may have existed at some time in the distant past, if ever. Reality: Today, the Internet […]

Read more

Reminder: Patch Cisco ASA / FTD Devices (CVE-2020-3452). Exploitation Continues , (Tue, Aug 4th)

Published August 4, 2020

Just a quick reminder: We are continuing to see small numbers of exploit attempts against CVE-2020-3452. Cisco patched this directory traversal vulnerability in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The exploit is rather simple and currently used to find vulnerable systems by reading benign LUA source code files.  Example attempts: GET […]

Read more

ISC Stormcast For Tuesday, August 4th 2020 https://isc.sans.edu/podcastdetail.html?id=7108, (Tue, Aug 4th)

Published August 3, 2020

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Powershell Bot with Multiple C2 Protocols, (Mon, Aug 3rd)

Published August 3, 2020

I spotted another interesting Powershell script. It’s a bot and is delivered through a VBA macro that spawns an instance of msbuild.exe This Windows tool is often used to compile/execute malicious on the fly (I already wrote a diary about this technique[1]). I don’t have the original document but based on a technique used in the macro, it is part […]

Read more

ISC Stormcast For Monday, August 3rd 2020 https://isc.sans.edu/podcastdetail.html?id=7106, (Mon, Aug 3rd)

Published August 2, 2020

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Reposted from SANS. View original.

Read more

Small Challenge: A Simple Word Maldoc, (Sun, Aug 2nd)

Published August 2, 2020

A reader submitted malicious Word document deed contract,07.20.doc (also uploaded the Malware Bazaar). There are a couple of interesting aspects to this document. The first, that I will point out here, is that the VBA code is quite simple. The code is quite short. And there is string obfuscation. In this diary, I’m not going […]

Read more

What pages do bad bots look for?, (Sat, Aug 1st)

Published August 1, 2020

I’ve been wondering for some time now about what pages and paths are visited the most by “bad” bots – scrapers, data harvesters and other automated scanners which disregards the exclusions set in robots.txt[1]. To determine this, I’ve set up a little experiment – I placed robots.txt on one of my domains, which disallowed access […]

Read more