Author Archives: SANS Internet Storm Center, InfoCON: green

Today, I spoted on VirusTotal an interesting Python RAT. They are tons of them but this one attracted my attention based on some function names present in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code(). A polymorphic malware is a type of malware that has been developed to repeatedly mutate its appearance or signature files at every execution time. The file got a very low score of 2/64 on VT! (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c).

Continue reading Polymorphic Python Malware, (Wed, Oct 8th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, October 8th, 2025 https://isc.sans.edu/podcastdetail/9646, (Wed, Oct 8th)→

FreePBX is a popular PBX system built around the open source VoIP system Asterisk. To manage Asterisk more easily, it provides a capable web-based admin interface. Sadly, like so many web applications, it has had its share of vulnerabilities in the past. Most recently, a SQL injection vulnerability was found that allows attackers to modify the database.

Continue reading Exploit Against FreePBX (CVE-2025-57819) with code execution., (Tue, Oct 7th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Tuesday, October 7th, 2025 https://isc.sans.edu/podcastdetail/9644, (Tue, Oct 7th)→

This weekend, Oracle published a surprise security bulletin announcing an exploited vulnerability in Oracle E-Business Suite. As part of the announcement, which also included a patch, Oracle published IoC observed as part of the incident response [1].

Continue reading Quick and Dirty Analysis of Possible Oracle E-Business Suite Exploit Script (CVE-2025-61882), (Mon, Oct 6th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Monday, October 6th, 2025 https://isc.sans.edu/podcastdetail/9642, (Mon, Oct 6th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, October 3rd, 2025 https://isc.sans.edu/podcastdetail/9640, (Fri, Oct 3rd)→

I have been writing about the “.well-known” directory a few times before. Recently, about attackers hiding webshells &#;x26;#;x5b;1&#;x26;#;x5d;, and before that, about the purpose of the directory and why you should set up a “/.well-known/security.txt” file. But I noticed something else when I looked at today&#;x26;#;39;s logs on this web server. Sometimes you do not need a honeypot. Some attackers are noisy enough to be easily visible on a busy web server. This time, the attacker hit various URLs inside the “.well-known” directory. Here is a sample from the > 100 URLs hit:

Continue reading More .well-known Scans, (Thu, Oct 2nd)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, October 2nd, 2025 https://isc.sans.edu/podcastdetail/9638, (Thu, Oct 2nd)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, October 1st, 2025 https://isc.sans.edu/podcastdetail/9636, (Wed, Oct 1st)→