Symantec vs. Google: The CA Fight Continues. What do you need to know?, (Mon, Mar 27th)

by nateSecurity BulletinsPosted on Comments are Disabled

Google has long been vocal about Symantecs use of test certificates. Google alleged that Symantec does not provide sufficient controls to prevent an abuse of its widely respected certificate authority. Late last week, Ryan Sleevi who is part of Googles Chrome team, announced that Google Chrome / Chromium will phase out trust in Symantecs CAs, …

Read more “Symantec vs. Google: The CA Fight Continues. What do you need to know?, (Mon, Mar 27th)”

Distraction as a Service, (Sat, Mar 25th)

by nateSecurity BulletinsPosted on Comments are Disabled

Have you noticed that some security projects never seem to get finished? Despite the best of intentions, often times they linger, sometimes for years. I believe that distractions play a role in security projects being delayed and ultimately never being completed. If not monitored closely, nothing will get moved from the to do list to …

Read more “Distraction as a Service, (Sat, Mar 25th)”

Nicely Obfuscated JavaScript Sample , (Fri, Mar 24th)

by nateSecurity BulletinsPosted on Comments are Disabled

One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily padding:5px 10px”> var iKz7xb8 = 160b6e65697e737a6f0a627e67661416425e47460a464b444d17084f44081416424f4b4e1416 474f5e4b0a49424b58594f5e17085f5e4c0712081416474f5e4b0a444b474f17085c434f5d5a45585e080a49454 45e4f445e17085d434e5e42174e4f5c43494f075d434e5e42060a4344435e434b460759494b464f171b08141646 4344410a42584f4c1708425e5e5a591005054c45445e59044d45454d464f4b5a43590449454705495959154c4b4 743465317784548455e45080a584f461708595e53464f59424f4f5e08140a16595e53464f1400514c45445e074c 4b47434653100a0d784548455e450d060a5 … The file has a current VT score …

Read more “Nicely Obfuscated JavaScript Sample , (Fri, Mar 24th)”

SSMA Usage, (Thu, Mar 23rd)

by nateSecurity BulletinsPosted on Comments are Disabled

SSMA is handy tool for quickly getting an idea if a file is malicious. Install sudo apt-get install python3-pip git clone https://github.com/secrary/SSMA cd SSMA sudo pip3 install -r requirements.txt Usage To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask …

Read more “SSMA Usage, (Thu, Mar 23rd)”

"Blank Slate" malspam still pushing Cerber ransomware, (Wed, Mar 22nd)

by nateSecurity BulletinsPosted on Comments are Disabled

2017-03-22 Update: This diary was posted earlier, but we had some technical issues, and the previous diary disappeared. I had to re-post this as a new diary with a new story ID and URL. Introduction Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it …

Read more “"Blank Slate" malspam still pushing Cerber ransomware, (Wed, Mar 22nd)”

Blank Slate campaign still pushing Cerber ransomware, (Wed, Mar 22nd)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part …

Read more “Blank Slate campaign still pushing Cerber ransomware, (Wed, Mar 22nd)”

"Blank Slate" campaign still pushing Cerber ransomware, (Wed, Mar 22nd)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction Cerber ransomware has been a constant presence since it was first discovered in February 2016. Since then, Ive seen it consistently pushed by exploit kits (like Rig and Magnitude) from the pseudoDarkleech and other campaigns. Ive also been tracking Cerber on a daily basis from malicious spam (malspam). Some malspam pushing Cerber is part …

Read more “"Blank Slate" campaign still pushing Cerber ransomware, (Wed, Mar 22nd)”

Malspam with password-protected Word documents, (Tue, Mar 21st)

by nateSecurity BulletinsPosted on Comments are Disabled

Introduction On Monday 2017-03-20, the ISC received a notification through our contact page. Someone reported numerous items of malicious spam (malspam) sent to addresses at his organization. The malspam had Microsoft Word documents (.docx files) as attachments and subject lines such as: Fwd:Ticket k29y729n71c52h692o53171 ReTicket 985v49f155t06g78v412a3n382 Fwd:Ticket 048f1v00u98 ReTicket y18k9178280 Ticket p574v892f453b467 Ticket e26099p58v65x073 ReInquiry …

Read more “Malspam with password-protected Word documents, (Tue, Mar 21st)”

What is really being proxied?, (Wed, Mar 8th)

by nateSecurity BulletinsPosted on Comments are Disabled

An observation from the road, was with a client recently and the discussion of proxy entered into the conversation. Now before we get all Political and start dropping packet bombs, a technical challenge came up that made me really think. What traffic is really hitting the proxy? How many proxy bypass rules are in place? …

Read more “What is really being proxied?, (Wed, Mar 8th)”

Searching for Base64-encoded PE Files, (Sun, Mar 19th)

by nateSecurity BulletinsPosted on Comments are Disabled

When hunting for suspicious activity, its always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters MZ at the beginning of the file[1]. But, to bypass classic controls, those files are often obfuscated (XOR, Rot13 or Base64). Base64 is very common and it padding:5px 10px”> TV(oA|pB|pQ|qA|qQ|ro)w+ …

Read more “Searching for Base64-encoded PE Files, (Sun, Mar 19th)”