SANS Internet Storm Center

RSS Feed SANS Internet Storm Center
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 2 hours 14 min ago

Secure Phishing: Netflix Phishing Goes TLS, (Wed, Jun 20th)

2 hours 19 min ago
Phishing for Netflix accounts isn't new. But recently, I see a large number of phishing e-mails for Netflix that lead to sites with valid TLS certificates.

PowerShell: ScriptBlock Logging... Or Not?, (Tue, Jun 19th)

Tue, 06/19/2018 - 1:44am
Here is an interesting piece of PowerShell code which is executed from a Word document (SHA256: eecce8933177c96bd6bf88f7b03ef0cc7012c36801fd3d59afa065079c30a559[1]). The document is a classic one. Nothing fancy, spit executes the macro and spawns a first PowerShell command:

Malicious JavaScript Targeting Mobile Browsers, (Mon, Jun 18th)

Mon, 06/18/2018 - 1:48am
A reader reported a suspicious piece of a Javascript code that was found on a website. In the meantime, the compromized website has been cleaned but it was running Wordpress (again, I would say![1]). 

Encrypted Office Documents, (Sun, Jun 17th)

Sun, 06/17/2018 - 9:43am
Last I had to analyze a malicious, encrypted Excel document, with a twist.

Anomaly Detection & Threat Hunting with Anomalize, (Sat, Jun 16th)

Sat, 06/16/2018 - 12:34pm
When, in October and November's posts, I redefined DFIR under the premise of Deeper Functionality for Investigators in R, I discovered a "tip of the iceberg" scenario. To that end, I'd like to revisit the concept with an additional discovery and opportunity. In reality, this is really a case of DFIR (Deeper Functionality for Investigators in R) within the general practice of the original and paramount DFIR (Digital Forensics/Incident Response).

SMTP Strangeness - Possible C2, (Fri, Jun 15th)

Thu, 06/14/2018 - 11:56pm
We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal.  From the appearance it could be related to exfil or C2.  The domain in question is whose IP is and there is an DNS TXT entry for SPF.  The domain was registered March 20, 2018.  I have been unable to find any additional examples or information of similar traffic.

A Bunch of Compromized Wordpress Sites, (Wed, Jun 13th)

Wed, 06/13/2018 - 11:17pm
A few days ago, one of our readers contacted reported an incident affecting his website based on Wordpress. He performed quick checks by himself and found some pieces of evidence:

From Microtik with Love, (Wed, Jun 13th)

Wed, 06/13/2018 - 5:55am
We've found interesting new traffic within our Honeytrap agents, originating from servers within Russia only (to be specific, the netblock owned by NKS / NCNET Broadband). The username and password combination being used is root / root, and they are executing all of the following ssh commands:

Microsoft June 2018 Patch Tuesday, (Tue, Jun 12th)

Tue, 06/12/2018 - 12:00pm
June 2018 Security Updates

More malspam pushing Lokibot, (Mon, Jun 11th)

Mon, 06/11/2018 - 12:25am

What Systems Keep You Effective?, (Sat, Jun 9th)

Sat, 06/09/2018 - 6:03pm
Previously I discussed What’s On Your Not To Do List as a means to remain focused on priorities. I never fear running out of work in cybersecurity. Instead, I worry that our focus does not always stay on the most critical issues. Today I want to highlight several techniques I use to help remain effective.

Malspam pushing coin miner and other malware, (Fri, Jun 8th)

Fri, 06/08/2018 - 7:34pm