SANS Internet Storm Center

RSS Feed SANS Internet Storm Center
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 4 hours 36 min ago

Phishing Attack Through Non-Delivery Notification, (Thu, Dec 13th)

8 hours 5 min ago
Here is a nice example of phishing attack that I found while reviewing data captured by my honeypots. We all know that phishing is a pain and attackers are always searching for new tactics to entice the potential victim to click on a link, disclose personal information or more…

Yet Another DOSfuscation Sample, (Wed, Dec 12th)

Wed, 12/12/2018 - 11:42am
Reader Vince asked for help with the analysis of a malicious Word document. He started the analysis himself, following the method I illustrated in diary entry "Word maldoc: yet another place to hide a command".

Microsoft December 2018 Patch Tuesday, (Tue, Dec 11th)

Tue, 12/11/2018 - 1:58pm
December 2018 Security Updates

Arrest of Huawei CFO Inspires Advance Fee Scam, (Sun, Dec 9th)

Sun, 12/09/2018 - 5:51pm
Last week, the arrest of MENG Wanzou made big waves in the news. Ms. Meng was arrested in Canada based on an arrest warrant issued for the United States Department of justice. Ms. Meng, as CFO of Huawei and possible heir to her father, the CEO of Huawei, is assumed to have access to substantial wealth. This led to a wave of advanced fee scams levering this news. 

Quickie: String Analysis is Still Useful, (Sun, Dec 9th)

Sun, 12/09/2018 - 3:52pm
String analysis: extracting and analyzing strings from binary files (like executables) to assist with reverse engineering.

Reader Malware Submission: MHT File Inside a ZIP File, (Sat, Dec 8th)

Sat, 12/08/2018 - 4:21pm
Reader Jason submitted a ZIP file received via email. It contains an MHT file, an when Jason received it, it had 0 detections on VirusTotal.

A Dive into malicious Docker Containers, (Fri, Dec 7th)

Fri, 12/07/2018 - 10:00am
Last few days we're seeing increased attacks from %%ip:, which is trying to exploit open Docker instances (%%port:2375%%). The container (being named java123) is based on image ahtihhebs/picture124, and executed with payload:

Is it Time to Uninstall Flash? (If you haven't already), (Thu, Dec 6th)

Thu, 12/06/2018 - 12:42pm
If you haven't uninstalled Flash yet, maybe today should be that day.  The update posted yesterday has a remote code exec proof-of-concept already here:

Data Exfiltration in Penetration Tests, (Tue, Nov 27th)

Wed, 12/05/2018 - 6:52pm
In many penetration tests, there'll be a point where you need to exfiltrate some data.  Sometimes this is a situation of "OK, we got the crown jewels, let's get the data off premise".  Or sometimes in this phase of the test the goal is "let's make some noise and see if they're watching for data exfiltration - hmm, nothing yet, let's make some LOUDER noise and see (and so on)".  As with most things, there's a spectrum of methods to move the target data out, with various levels of difficulty for detection.

Malspam pushing Lokibot malware, (Tue, Dec 4th)

Mon, 12/03/2018 - 7:36pm