Archive by Author

Sextortion Bitcoin on the Move, (Fri, Jan 18th)

We’ve gotten a few reports of the latest round of sextortion emails demanding bitcoin in exchange for deleting incriminating videos. These emails and wallets have piled up for some time. Usually the criminal doesn’t move the bitcoin immediately, so checking the bitcoin wallet isn’t helpful. But a week or so after such emails are sent, […]

Leave a comment Continue Reading →

Emotet infections and follow-up malware, (Wed, Jan 16th)

Introduction Three major campaigns using malicious spam (malspam) to distribute malware stopped sending malspam before Christmas–sometime during the week ending on Sunday 2018-12-23.  These three campaigns are Emotet (also known as Feodo), Hancitor (also known as Chanitor or Tordal), and Trickbot.  But this week, all three campaigns have been sending out malspam again. Among these […]

Leave a comment Continue Reading →

Oracle Has Published 284 Security Updates in their January Patch Advisory, More here: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html, (Tue, Jan 15th)

— John Bambenek bambenek at gmail /dot/ com ThreatSTOP (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →

Microsoft Publishes Patches for Skype for Business and Team Foundation Server, (Tue, Jan 15th)

Today, Microsoft published an advisory on CVE-2019-0624 on a spoofing vulnerability in Skype for Business 2015. It requires a few steps of the attacker and isn’t entirely straightforward to execute. They must be an authenticated user and then send a spoofed request that can then perform a XSS on the victim machine at the privilege level of […]

Leave a comment Continue Reading →

Microsoft LAPS – Blue Team / Red Team, (Mon, Jan 14th)

The story is all too familiar, the chain of events almost the same every time: A malicious email makes its way in past the SPAM filter. The recipient person clicks on a link or downloads an attachment with a macro in it Malware executes The malware uses Mimikatz (or some variation thereof) to harvest the […]

Leave a comment Continue Reading →

Still Running Windows 7? Time to think about that upgrade project!, (Mon, Jan 14th)

For folks still running Windows 7, Microsoft has it scheduled for End of Life in exactly 1 year – https://support.microsoft.com/en-ca/help/13853/windows-lifecycle-fact-sheet Not such a big deal if you have 1 or 2 machines at home to manage, but if you are an enterprise with hundreds or thousands of Windows 7 machines, it’s really time to start […]

Leave a comment Continue Reading →

Snorpy a Web Base Tool to Build Snort/Suricata Rules, (Sat, Jan 12th)

Snorpy is a web base application to easily build Snort/Suricata rules in a graphical way. It is simple to use starting from the Action and Protocol fields and as you pick each field, the rule builder shows the rule in the bottom window. Before setting up your own local copy, you want to test a […]

Leave a comment Continue Reading →

Quick Maldoc Analysis, (Fri, Jan 11th)

Reader Kevin asked for help with the analysis of maldoc 7eac18cab2205d94e5e5e0c43daf64cbab2e0b43cf841213c25ca34e8124739f. Here is the analysis in one-line, as I like to do: Similar samples have been analyzed step by step in this and this diary entry. And I also have a video. This is a good opportunity to point to our diary archive that you can […]

Leave a comment Continue Reading →

Heartbreaking Emails: "Love You" Malspam, (Thu, Jan 10th)

Introduction Malicious spam (malspam) using zipped JavaScript (.js) files as email attachments–this is a well-established tactic used by cyber criminals to distribute malware.  I’ve written diaries discussing such malspam in July 2015, September 2015, and February 2016.  I’ve run across plenty of examples since then, but I’ve focused more on Microsoft Office documents instead of […]

Leave a comment Continue Reading →

Wireshark 2.4.12 & 2.6.6 released, vulns & bugs fixed – https://www.wireshark.org/download.html, (Wed, Jan 9th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a comment Continue Reading →