Yesterday we discussed revisiting SSH configurations and updating settings. Now that this is done across your organization (just kidding), how will you audit this. In particular, what about hosts that you don’t know are there, or that you don’t know are running SSH? For starters, nmap makes a great audit tool. A simple scan for …
Read more “Auditing SSH Settings (some Blue Team, some Red Team), (Thu, Nov 2nd)”
— Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute STI|Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
As the world of the attacker evolves and new attacks are developed (Red Team), people in the world of defense sees a matching evolution in recommendations for securing various platforms and services (Blue Team). It struck me as odd that we don’t see a lot of “high profile” changes in advice for SSH, so I …
Read more “Securing SSH Services – Go Blue Team!!, (Wed, Nov 1st)”
Powershell is a great language that can interact at a low-level with Microsoft Windows. While hunting, I found a nice piece of Powershell code. After some deeper checks, it appeared that the code was not brand new but it remains interesting to learn how a malware infects (or not) a computer and tries to collect …
Windows executables (PE files) can contain debug information, like the absolute pathname of the PDB file. A PDB file (Program DataBase) contains debug information and is produced by the linker. This PDB pathname can be used as an IOC. Parts of the PDB pathname can be used as IOCs too. For example, if the project …
On Friday, Oracle released a critical patch for it’s Identity Manager, which is part of Fusion Middleware. The vulnerability patched with this update does affect all current versions of the product, and has a CVSS score of 10. The patch comes just about two weeks after Oracle’s regular Critical Patch Update (CPU). According to Oracle’s …
Read more “Critical Patch For Oracle's Identity Manager, (Mon, Oct 30th)”
A reader submitted a malicious attachment: We can see that this is an ACE file. I remember ACE files, it’s an archive format that back in the days (2000) yielded higher compression ratios than RAR. I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read …
Introduction It seems that malicious Google Chrome extensions are on the rise. A couple of months ago, I posted here about two of them [1][2] which stole user credentials posted on banking websites and alike. Now, while analyzing a phishing e-mail, I went through a new malware with a slight different approach: instead of …
Read more “"Catch-All" Google Chrome Malicious Extension Steals All Posted Data, (Fri, Oct 27th)”
Guest Diary: Etay Nir In the past few days, the industry became aware of a new technique to deliver malware, using macro-less code execution in MS Word, leveraging the Microsoft Dynamic Data Exchange (DDE) protocol. A good research blog entry can be found here: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ In this post: I’m going to give some background …
Read more “Macro-less Code Execution in MS Word, (Wed, Oct 25th)”
DUHK (Don’t Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that uncommon in products. A device is susceptible to the attack if: …
Read more “DUHK attack, continuing a week of named issues, (Wed, Oct 25th)”