Author: nate

About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-attack https://frontnews.eu/news/en/16198 https://twitter.com/GroupIB/status/922818401382346752 It seems to be delivered via malicious URL as fake flash update and then using EternalBlue and Mimikatz for lateral movement and further …

Read more “BadRabbit: New ransomware wave hitting RU & UA, (Tue, Oct 24th)”

Yesterday, I found an interesting file in my spam trap. It was called ‘16509878451.XLAM’. To be honest, I was not aware of this extension and I found this on the web: “A file with the XLAM file extension is an Excel Macro-Enabled Add-In file that’s used to add new functions to Excel. Similar to other spreadsheet file …

Read more “Stop relying on file extensions, (Tue, Oct 24th)”

This is a guest diary submitted by Alan Tu. Please let us know if you like this kind of post. I became interested in how criminals and bad actors conceal the origin point of their Internet traffic. TOR, The Onion Router project, is one common way to anonymize Internet traffic. TOR nodes allow any proxy-aware …

Read more “Is a telco in Brazil hosting an epidemic of open SOCKS proxies?, (Sun, Oct 22nd)”

Today,  October 21st, marks the one year anniversary of the DDOS attack on Dyn. The attack impacted Dyn’s DNS service, and caused degradation, or inavailability of several popular websites, including amazon.com. Airbnb, BBC, CNN, Paypal and many others.  The attack was attributed to the Mirai botnet of compromised Internet of Things (IoT) devices, but despite numerous investigations, the …

Read more “One year Anniversary of Dyn DDOS, (Fri, Oct 20th)”

Cisco has updated their advisory from earlier in the week for CVE-2017-13082, Key Reinstallation Attacks, refered to as KRACKs. It appears the original updates did not completely address the CVE.  New updates are in the works.  No ETA was given for the new updates. “NOTE: Additional testing performed on October 20th, 2017 resulted in the discovery that …

Read more “Cisco fixes for KRACKs not complete, (Fri, Oct 20th)”

YARA is a tool designed to help malware researchers identify and classify malware samples. It’s been called the pattern-matching Swiss Army knife for security researchers . Yarascan is a volatility plugin that scan a memory image for yara signature.Yaracan can be uses with rule file or you can define what are you looking for on the fly.In …

Read more “Using Yara rules with Volatility , (Fri, Oct 20th)”

Introduction I’ve seen Twitter traffic today about malspam from the Necurs Botnet pushing Locky ransomware using Word documents as their attachments.  These Word documents use the DDE attack technique, something I already wrote about in a previous diary covering Hancitor malspam on 2017-10-16.  Here’s a link to My Online Security’s writeup about today’s malspam from …

Read more “Necurs Botnet malspam pushes Locky using DDE attack, (Thu, Oct 19th)”

Introduction ISO files are a format used for optical disk images like CD-ROMs or DVDs.  Criminals sometimes use ISO files as attachments in malicious spam (malspam) to distribute malware.  Here and here are two recent examples.  On Wednesday 2017-10-18, I came across HSBC-themed malspam using this technique to distribute Loki Bot, an information stealer. The …

Read more “HSBC-themed malspam uses ISO attachments to push Loki Bot malware, (Thu, Oct 19th)”

Introduction This week I came across an interesting incident response scenario that was more likely a blind hunt. The starting point was the suspicion that a breach may have occurred in one or more of ~500 web servers of a big company on a given date range, even though there was no evidence of leaked …

Read more “Baselining Servers to Detect Outliers, (Wed, Oct 18th)”

Introduction Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16.  Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft’s Dynamic Data Exchange (DDE) technique.  According to BleepingComputer, attacks using this technique have existed since the early 90s, …

Read more “Hancitor malspam uses DDE attack, (Tue, Oct 17th)”