What to do on a cloudy lazy Sunday? You go hunting and review some alerts generated by your robots. Pastebin remains one of my favourite playground and you always find interesting stuff there. In a recent diary, I reported many malicious PE files[1] stored in Base64 but, today, I found a suspicious piece of JavaScript …
Read more “Analysis of a Suspicious Piece of JavaScript, (Sun, Feb 12th)”
Introduction Its been one month since my last diary on malcious spam (malspam) with links to malicious Word documents containing Hancitor [1]. Back then, we saw Hancitor use Pony to download Vawtrak malware. Since then, Ive seen indicators for this type of malspam on a near-daily basis. Recently, these emails have stopped leading to Vawtrak. …
Early today on 2017-02-09, a new vulnerability based on CVE-2016-9244 was announced by f5 affecting the companys Big-IP appliances [1]. According to f5: A BIG-IP SSL virtual server with the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. This new vulnerability has a website (https://ticketbleed.com/) and a logo. border-width:2px” …
Read more “Ticketbleed vulnerability affects some f5 appliances, (Thu, Feb 9th)”
Introduction At the end of January 2017, BleepingComputer published a report about an updated variant of CryptoMix (CryptFile2) ransomware calling itself CryptoShield [1]. It was first discovered by Proofpoint security researcher Kafeine. At that time, CryptoShield was distributed by the EITest campaign using Rig exploit kit (EK). Since then, other researchers continued seeing CryptoShield from …
Read more “CryptoShield Ransomware from Rig EK, (Thu, Feb 9th)”
This is a guest diary contributed by Remco Verhoef. Interested in publishing a guest diary? Sent us your idea via our contact form. Most cloud providers offer metadata using private urls. Those urls are used to retrieve metadata for the current configuration of the instance and passing userdata. The configuration contains data like security groups, …
When I tried to include the [taco] Unicode characters in the headline to this post, it cut off the headline. Supporting Unicode isnt easy, and often, to avoid security issues arising from Unicode, it is removed or outright blocked. But in particular, mobile devices make it easy to type Emojis or other Unicode characters. As …
Read more “My Password is [taco] Using Emojis for Stronger Passwords, (Tue, Feb 7th)”
On of the hardest tasks in security, and probably fundamentally an impossible task is to figure out if something is not malicious. Even the code you wrote yourself, once it exceeds a certain complexity, could include backdoors that you as theauthor missed. They may come in the form of vulnerabilities, or maybe it was bad …
I am seeing a steady trickle of scans for %%port:110%% against my honeypot. Initially, I believed that the goal was brute forcing e-mail passwords. But instead, when setting up a quick netcat listener, I am seeing binary content without any obvious purpose. Various POP3 daemons have had vulnerabilities in the past, so maybe there is …
Read more “What Are These Odd POP3 (Port 110/tcp) Scans About?, (Mon, Feb 6th)”
pastebin.com is a wonderful website. Im scrapping all posted pasties (not only from pastebin.com) and pass them to a bunch of regular expressions. As I said in a previous diary[1], it is a good way to perform open source intelligence. Amongst many configuration files, pieces of code with hardcoded credentials, dumps of databases or passwords, …
Read more “Many Malware Samples Found on Pastebin, (Sun, Feb 5th)”
Im a big fan of OSSEC[1]. This tools is an open source HIDS and log management tool.Although often considered asthe SIEM of the poor, it integrates a lot of interesting features and is fully configurable to solve many of your use cases. All my infrastructure is monitored by OSSEC for years. One of the OSSEC …
Read more “Detecting Undisclosed Vulnerabilities with Security Tools & Features, (Sat, Feb 4th)”