This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ELOG Electronic Logbook 3.1.4-283534d. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of HTTP parameters. A crafted request can trigger the dereference of a null pointer. An attacker can leverage this vulnerability to create …
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DIR-867, DIR-878, and DIR-882 routers with firmware 1.10B04. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue results from the lack of proper implementation of the authentication algorithm. An attacker …
I have other samples like the malware I covered in yesterday’s diary entry. All with the same body and attachment, it’s just the sender that varies. The PowerShell scripts are the same and download from show1[.]website. Like I wrote yesterday, three files are downloaded: A legitimate, signed AutoIt interpreter (this is not malware) A heavily …
Read more “KPOT Deployed via AutoIt Script, (Mon, Mar 23rd)”
Reader Andrew received a COVID-19 themed email with malicious attachment, and submitted the complete email. My tool emldump.py reports the different parts: The email body is a fake message from criminals cautioning their victims that documents are required to leave their house during a “National State of Emergency”, which are conveniently attached to the email: …
I was curious this week to see if my honeypot traffic would increase since a large portion of the world is working from home. Reviewing my honeypot logs, I decided to check what type of filename was mostly targeted (GET/POST/HEAD) by scanners this past week on any web supported ports (i.e. 80, 81, 8000, etc). …
Read more “
Honeypot – Scanning and Targeting Devices & Services, (Sat, Mar 21st)”
DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. …
Read more “A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)”
Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however. Couple of months back, I noticed a small weakness/vulnerability in the way …
Read more “Desktop.ini as a post-exploitation tool, (Mon, Mar 16th)”
— Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute Twitter| (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Because most individuals are going to have to work remotely from home, the activity that should be scrutinized over the coming weeks would be ports associated with VPN like OpenVPN (1194) or SSL VPN (TCP/UDP 443, IPsec/IKEv2 UDP 500/4500) with their associated logs to ensure these services are accessed by the right individuals and are …
Read more “VPN Access and Activity Monitoring, (Sun, Mar 15th)”
Someone asked me for help with this phishing PDF. Taking a look with pdfid.py: Nothing to see here, except Stream Objects (/ObjStm). When stream objects are detected, it’s best to generate statistics (-a) with pdf-parser.py while parsing stream objects too (-O), like this: And here we see that this PDF contains URLs (/URI). Thus we …
Read more “Phishing PDF With Incremental Updates., (Sat, Mar 14th)”