I made the following demo for a customer in the scope of a security awarenessevent. When speaking to non-technical people, its always difficult to demonstrate how easily attackers can abuse of their devices and data. If successfully popping up acalc.exe with an exploit makes a room full of security people crazy, its not the case …
Read more “How was your stay at the Hotel La Playa?, (Wed, Feb 15th)”
Microsoft delayed the release of all bulletins scheduled for today. Today was supposed to be the first month of Microsoft using its new update process, which meant that we would no longer see a bulletin summary, and patches would be released as monolithic updates vs. individually. It is possible that this change in process caused …
Read more “Microsoft Patch Tuesday Delayed, (Tue, Feb 14th)”
=============== Rob VandenBrink Metafore (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Packettotal ( http://www.packettotal.com ) is a new site that does some nifty analysis of Packet Captures for you if youre not so familiar with Wireshark or other analysis tools Out of the gate, this site maps out connections, certificates, encryption algorithms and gives up files that are transfered in the session. A great start (I …
Read more “Do You Use VirusTotal? Give PacketTotal a Spin!, (Mon, Feb 13th)”
With the prevalence of Next-Gen Firewalls, were seeing a new wave of organizations decrypting traffic at the network edge, between organizations and the public internet. This is a good thing. As we see more and more legit https traffic, were also seeing the attackers follow that trend, where malware and attacks are now often encrypted …
What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent diary, I reported many malicious PE files[1] stored in Base64 but, today, I found a suspicious piece of JavaScript …
Read more “Analysis of a Suspicious Piece of JavaScript, (Sun, Feb 12th)”
Introduction Its been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1]. Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, Ive seen indicators for this type of malspam on a near-daily basis. Recently, these emails have stopped leading to Vawtrak. …
Early today on 2017-02-09, a new vulnerability based on CVE-2016-9244 was announced by f5 affecting the companys Big-IP appliances [1]. According to f5: A BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. This new vulnerability has a website (https://ticketbleed.com/) and a logo. border-width:2px” …
Read more “Ticketbleed vulnerability affects some f5 appliances, (Thu, Feb 9th)”
Introduction At the end of January 2017, BleepingComputer published a report about an updated variant of CryptoMix (CryptFile2) ransomware calling itself CryptoShield [1]. It was first discovered by Proofpoint security researcher Kafeine. At that time, CryptoShield was distributed by the EITest campaign using Rig exploit kit (EK). Since then, other researchers continued seeing CryptoShield from …
Read more “CryptoShield Ransomware from Rig EK, (Thu, Feb 9th)”
This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form. Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, …