Tag: SANS Internet Storm Center, InfoCON: green

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, October 21st, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, October 18th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, October 17th, 2024…

Read more →

I noticed in my logs 2 weeks ago regular probe from a subnet in the Amazone cloud only scanning for TCP/8080 capture by the iptables of my DShield sensor. The scanning started on the 15 Aug – 4 Oct 2024…

Read more →

Our list of “Top” ssh usernames and password is pretty static. Well known defaults, like “root” and “admin” are at the top of the list. But there are always some usernames and password in the list that are not as…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, October 16th, 2024…

Read more →

Demo scripts left behind after installing applications or frameworks are an ongoing problem. After installation, removing any “demo” or “example” folders is usually best. A few days ago, Ravindu Wickramasinghe noticed that the Angular-base64-upload project is leaving behind a demo…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, October 15th, 2024…

Read more →

I receive a lot of spam in my catch-all mailboxes. If most of them are not interesting, some still attract my attention. Especially the one that I'll describe in this diary. The scenario is classic, an important document is pending…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, October 14th, 2024…

Read more →

Wireshark release 4.4.1 fixes 2 vulnerabilities and 27 bugs. One of these bugfixes is for the missing IP address plugin on Windows, see “Wireshark 4.4's IP Address Functions”. This article has been indexed from SANS Internet Storm Center, InfoCON: green…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, October 11th, 2024…

Read more →

[This is a Guest Diary by Christopher Schroeder, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: GPTHoney: A new class of honeypot…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, October 10th, 2024…

Read more →

A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I won&#x27t repeat what has been already disclosed. I found a copy of the “httpd”…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, October 9th, 2024…

Read more →

Microsoft today released patches for 117 vulnerabilities. Three additional vulnerabilities apply to Chromium/Edge. Another three vulnerabilities are rated critical. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Microsoft Patch Tuesday – October…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, October 8th, 2024…

Read more →

It's always tempting to install the latest releases of your preferred software and operating systems. After all, that's the message we pass to our beloved users: “Patch, patch, and patch again!”. Last week, I was teaching for SANS and decided…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, October 7th, 2024…

Read more →

It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, October 4th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, October 3rd, 2024…

Read more →

[This is a Guest Diary by Joshua Gilman, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Kickstart Your DShield Honeypot [Guest Diary],…

Read more →

Over the last 9 months or so, I've been putting together some docker containers that I find useful in my day-to-day malware analysis and forensicating. I have been putting them up on hub.docker.com and decided, I might as well let…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, October 2nd, 2024…

Read more →

For a few years now, October has been “National Cyber Security Awareness Month”. This year, it is a good opportunity for a refresher on some scams that tend to happen around disasters like Hurricane Helene. The bigger the disaster, the…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, October 1st, 2024…

Read more →

One of the problems I've had since I originally wrote mac-robber.py [1][2][3] seven years ago is that because of the underlying os.stat python library we couldn't get file creation times (B-times). Since the release of GNU coreutils 8.32 (or so),…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, September 30th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, September 27th, 2024…

Read more →

These last two days, a lot has been talked about a “Doomsday 9.9 RCE bug'” in Linux [1]. We now have some additional details from Simone Margaritelli, who discovered and reported the vulnerabilities. This article has been indexed from SANS…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, September 26th, 2024…

Read more →

[This is a Guest Diary by Thomas Spangler, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: OSINT – Image Analysis or More…

Read more →

Occasionally, I tend to check in on what reflective DNS denial of service attacks are doing. We usually see steady levels of attacks. Usually, they attempt to use spoofed requests for ANY records to achieve the highest possible amplification. Currently,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, September 25th, 2024…

Read more →

Late in July, a researcher using the alias “NETSECFISH” published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the “vpn/list_base_Config.php” endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, September 24th, 2024…

Read more →

While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, September 23rd, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, September 20th, 2024…

Read more →

Our reader “RoseSecurity” forwarded received the following malicious email: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Fake GitHub Site Targeting Developers, (Thu, Sep 19th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, September 19th, 2024…

Read more →

Since posting a diary about Vega-Lite [1], I have “played” with other queries that might be interesting and the first one that I wanted to explore since the DShield SIEM [2] capture and parse the iptables logs and store the…

Read more →

A few months ago, I wrote a diary[1] about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, September 18th, 2024…

Read more →

Last week, I posted a diary about suspicious Python modules. One of them was Firebase [1], the cloud service provided by Google[2]. Firebase services abused by attackers is not new, usually, it&#x27s used to host malicious files that will be…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, September 17th, 2024…

Read more →

There is a common technique used by attackers: They append some data at the end of files (this is called an overlay). This can be used for two main reasons: To hide the appended data from the operating system (steganography).…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, September 16th, 2024…

Read more →

YARA-X is not just a rewrite of YARA in Rust, it comes with new features too. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA-X’s Dump Command, (Sun, Sep 15th)

Read more →

YARA 4.5.2 was released with 3 small changes and 4 bugfixes. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: YARA 4.5.2 Release, (Sat, Sep 14th)

Read more →

In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths submitted to the DShield…

Read more →

In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths submitted to the DShield…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, September 13th, 2024…

Read more →

[This is a Guest Diary by Paul Olson, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Hygiene, Hygiene, Hygiene! [Guest Diary], (Wed,…

Read more →

Since I&#x27m interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don&#x27t want to reinvent…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, September 11th, 2024…

Read more →

Today, Microsoft released its scheduled September set of patches. This update addresses 79 different vulnerabilities. Seven of these vulnerabilities are rated critical. Four vulnerabilities are already being exploited and have been made public. This article has been indexed from…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, September 10th, 2024…

Read more →

New IP address functions have been added in Wireshark 4.4 (if you use Wireshark on Windows, there's a bug in release 4.4.0: the DLL with these functions is missing, it will be included in release 4.4.1; all is fine with…

Read more →

Here are more details on the power consumption of my desktop computer when I crack passwords (cfr diary entry “Quickie: Password Cracking & Energy”). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, September 9th, 2024…

Read more →

PythonScript is a Notepad++ plugin that provides a Python interpreter to edit Notepad++ documents. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: 
Python & Notepad++, (Sat, Sep 7th)

Read more →

Here are more details on the power consumption of my desktop computer when I crack passwords (cfr diary entry “Quickie: Password Cracking & Energy”). This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

PythonScript is a Notepad++ plugin that provides a Python interpreter to edit Notepad++ documents. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Python & Notepad++, (Sat, Sep 7th)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, September 6th, 2024…

Read more →

I like to enrich my honeypot data from a variety of sources to help understand a bit more about the context of the attack. This includes the types of networks the attacks are coming from or whether malware submitted to…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, September 5th, 2024…

Read more →

[This is a Guest Diary by Joshua Tyrrell, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Attack Surface [Guest Diary], (Wed, Sep…

Read more →

On August 10th, the popular learning platform “Moodle” released an update fixing %%cve:2024-43425%%. RedTeam Pentesting found the vulnerability and published a detailed blog post late last week. The blog post demonstrates in detail how a user with the “trainer” role could…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, September 4th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, September 3rd, 2024…

Read more →

Just like “Protected OOXML Spreadsheets”, Word documents can also be protected: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Protected OOXML Text Documents, (Mon, Sep 2nd)

Read more →

Display filters are used to define expressions that decide which packets get displayed, and which not in Wireshark's packet list. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4: Converting Display…

Read more →

This is the first 4.4 release. Many new features have been added, details are here. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Wireshark 4.4.0 is now available, (Sat, Aug 31st)

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, August 30th, 2024…

Read more →

It can be helpful to simulate different kinds of system activity. I had an instance where I wanted to generate logs to test a log forwarding agent. This agent was processing DNS logs. There are a variety of ways that…

Read more →

In my previous diary[1], I explained why Python became popular for attackers. One of the given reason was that, from Python scripts, it&#x27s possible to call any Windows API and, therefore, perform low-level activities on the system. In another script,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, August 29th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, August 28th, 2024…

Read more →

I have been curious for a while looking at Kibana's Vega log parsing options to try to come up with displays and layout that aren't standard in Kibana. A lot of the potential layouts already exists in Kibana but some…

Read more →

It has been a while since I started to track how Python is used in the Windows eco-system[1]. Almost every day I find new pieces of malicious Python scripts. The programming language itself is not malicious. There are plenty of…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, August 27th, 2024…

Read more →

If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I'm often impressed by the crazy techniques attackers use to make reverse engineers' lives more difficult. Last week, I spotted a…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, August 26th, 2024…

Read more →

While trying to process some of my honeypot data, I ran into the following error in my Python script: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Pandas Errors: What encoding are…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, August 23rd, 2024…

Read more →

For a whille now, I have seen scans that contain the pattern “%%target%%” in the URL. For example, today this particular URL is popular: This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article:…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, August 22nd, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Wednesday, August 21st, 2024…

Read more →

[This is a Guest Diary by Michael Tigges, an ISC intern as part of the SANS.edu BACS program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: Mapping Threats with DNSTwist and the…

Read more →

I recorded a quick live stream with a quick update on CVE-2024-38063. The video focuses on determining the exploitability, particularly whether your systems are reachable by IPv6. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Tuesday, August 20th, 2024…

Read more →

I found a tiny .bat file that looked not suspicious at all: 3650.bat (SHA256:bca5c30a413db21f2f85d7297cf3a9d8cedfd662c77aacee49e821c8b7749290) with a very low VirusTotal score (2/65)[1]. The file is very simple, it invokes a PowerShell: This article has been indexed from SANS Internet Storm Center,…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Monday, August 19th, 2024…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Friday, August 16th, 2024…

Read more →

[This is a Guest Diary by Justin Leibach, an ISC intern as a part of the SANS.edu BACS [1] degree program] This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: [Guest Diary] 7…

Read more →

In diary entry “A Wireshark Lua Dissector for Fixed Field Length Protocols”, I show how to use a protocol dissector I wrote in Lua to parse TCP data. This article has been indexed from SANS Internet Storm Center, InfoCON: green…

Read more →

This post doesn’t have text content, please click on the link below to view the original article. This article has been indexed from SANS Internet Storm Center, InfoCON: green Read the original article: ISC Stormcast For Thursday, August 15th, 2024…

Read more →