Collaborate Disseminate
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, November 14th, 2025 https://isc.sans.edu/podcastdetail/9700, (Fri, Nov 14th)
When I’m teachning FOR610[1], I always say to my students that reverse engineering does not only apply to âexecutable filesâ (read: PE or ELF files). Most of the time, the infection path involves many stages to defeat the Security Analyst or security controls. Here is an example that I found yesterday. An email was received via an attached ZIP archive. It contained a simple file: âPayment_confirmation_copy_30K__202512110937495663904650431.vbsâ (SHA256:d9bd350b04cd2540bbcbf9da1f3321f8c6bba1d8fe31de63d5afaf18a735744f) identified by 17/65 antiviruses on VT[2]. Let’s have a look at the infection path.
Continue reading Formbook Delivered Through Multiple Scripts, (Thu, Nov 13th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, November 13th, 2025 https://isc.sans.edu/podcastdetail/9698, (Thu, Nov 13th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, November 12th, 2025 https://isc.sans.edu/podcastdetail/9696, (Wed, Nov 12th)
Today&#;x26;#;39;s Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical.
Continue reading Microsoft Patch Tuesday for November 2025, (Tue, Nov 11th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Tuesday, November 11th, 2025 https://isc.sans.edu/podcastdetail/9694, (Tue, Nov 11th)
Today, I noticed scans using the username “FTP_3cx” showing up in our logs. 3CX is a well-known maker of business phone system software [1]. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to run an FTP server, but it offers a feature to back up configurations to an FTP server [2]. The example user used in the documentation is “3cxftpuser”, not “FTP_3cx”. Additionally, the documentation notes that the FTP server can run on a different system from the 3CX software. For a backup, it would not make much sense to have it all run on the same system.
Continue reading It isn’t always defaults: Scans for 3CX usernames, (Mon, Nov 10th)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Monday, November 10th, 2025 https://isc.sans.edu/podcastdetail/9692, (Mon, Nov 10th)
This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories:
Continue reading Honeypot: Requests for (Code) Repositories, (Sat, Nov 8th)