Equifax, one of the major credit bureaus in the USA has announced a breach that occurred in July. At 143 Million persons affected and considering the type of data this is significant. Canadians may have been affected as well. Cheers, Adrien @adriendb Intru-Shun.ca (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States …
Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. Currect versions are Struts 2.3.34 and Struts 2.5.13. Cheers, Adrien de Beaupré, SANS …
I had the opportunity to sit with my friend Ron Bowes (@iagox86) awhile back to talk about SEC642 content and the state of web application penetration testing in general. He mentioned hash length extension attacks, and that he had coincidentally written the absolute best tool to exploit them! That’s definitely something that we would consider …
Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a remote code execution vulnerability. It has been assiegned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement. A work around would be to disable access to the REST API used by Struts as it does not coreectly deserialize objects when invoked. Every once in …
Read more “Struts vulnerability patch released by apache, patch now, (Tue, Sep 5th)”
It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for %%port:2323%% and the use of the password “xc3511” as an indicator. But of course, that isn’t perfect. The very first scan using the password “xc3511” was detected by our sensor on February 26th, 2016, well ahead …
Read more “The Mirai Botnet: A Look Back and Ahead At What's Next, (Tue, Sep 5th)”
In part 2, we are going to take a closed look at the image in object 3. First we dump the stream and look at the beginning and end: FF D8 is the Start Of Image Marker of a JPEG image. FF D9 is the Eod Of Image Marked of a JPEG image. It’s likely …
I received a resume (a PDF) via email. It was not malicious, it was a real resume, and it’s a good opportunity to show how to determine if a PDF contains nothing malicious. First, I analyzed the PDF with pdfid.py: The PDF has not a lot of objects (7) neither streams (2). And there’s no …
One week ago I wrote a diary[1] with an analysis of a malicious RAR archive that contained an AutoIT script[2]. The technique was not new but I was curious to see if this was a one-shot or not. To search for juicy samples, VirusTotal Intelligence or “VTI” is a nice source. Thanks to the “Retro …
Read more “AutoIT based malware back in the wild, (Sat, Sep 2nd)”
Introduction During past two weeks or so, we’ve seen plenty of botnet-based malicious spam (malspam) pushing Locky ransomware. In recent days, I’ve noticed multiple waves of malspam every weekday. It gets a bit boring after a while, but as 2017-08-31 came to a close, I noticed a different technique from this malspam. Today’s malspam had …
As a SOC manager, you may need to start thinking about remote works for several reasons: Office move, larger talent pool, disaster recovery plan. Some scenarios may be short term to midterm solutions, here are some initial concerns I came up with when thinking about the problem. Concern 1: Speed of responding You IR …