Author Archives: SANS Internet Storm Center, InfoCON: green

Since the ongoing “ToolShell” exploitation campaign, in which threat actors attack on-premise Sharpoint servers using a chain of two recently published vulnerabilities[1,2,3], is still on top of the cyber security news[4,5,6,7], I thought it might be a good time to look at the question of how quickly do we – as a global society – actually patch actively-exploited vulnerabilities when it comes to our internet-facing systems.

Continue reading How quickly do we patch? A quick look from the global viewpoint, (Mon, Jul 21st)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Monday, July 21st, 2025 https://isc.sans.edu/podcastdetail/9534, (Mon, Jul 21st)→

Microsoft announced yesterday that a newly discovered critical remote code execution vulnerability in SharePoint is being exploited. There is no patch available. As a workaround, Microsoft suggests using Microsoft Defender to detect any attacks. To use Defender, you must first configure the AMSI integration to give Defender visibility into SharePoint. Recent versions of SharePoint have the AMSI integration enabled by default.

Continue reading Critical Sharepoint 0-Day Vulnerablity Exploited CVE-2025-53770 (ToolShell), (Sun, Jul 20th)→

A interesting phishing attempt was reported by a contact. It started with a simple email that looked like a voice mail notification like many VoIP systems deliver when the call is missed. There was a WAV file attached to the mail[1].

Continue reading Veeam Phishing via Wav File, (Fri, Jul 18th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Friday, July 18th, 2025 https://isc.sans.edu/podcastdetail/9532, (Fri, Jul 18th)→

This week, it&#;x26;#;39;s SANSFIRE[1]! I&#;x26;#;39;m attending the FOR577[2] training (“Linux Incident Response &#;x26; Threat Hunting”). On day 2, we covered the different filesystems and how data is organized on disk. In the Linux ecosystem, most filesystems (ext3, ext4, xfs, …) support “extended file attributes”, also called “xattr”. It&#;x26;#;39;s a file system feature that enables users to add metadata to files. These data is not directly made available to the user and may contain anything related to the file (ex: the author&#;x26;#;39;s name, a brief description, …). You may roughly compare this feature to the Alternate Data Stream (ADS) available in the Windows NTFS filesystem.

Continue reading Hiding Payloads in Linux Extended File Attributes, (Thu, Jul 17th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Thursday, July 17th, 2025 https://isc.sans.edu/podcastdetail/9530, (Thu, Jul 17th)→

A few months ago, I wrote a diary about online services used to exfiltrate data[1]. In this diary, I mentioned some well-known services. One of them was catbox.moe[2]. Recently, I found a sample that was trying to download some payload from this website. I performed a quick research and collected more samples!

Continue reading More Free File Sharing Services Abuse, (Wed, Jul 16th)→

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Continue reading ISC Stormcast For Wednesday, July 16th, 2025 https://isc.sans.edu/podcastdetail/9528, (Wed, Jul 16th)→

If many malware samples try to be “filess” (read: they try to reduce their filesystem footprint to the bare minimum), another technique remains interesting: Alternate Data Streams or “ADS”[1]. This NTFS feature allows files to contain multiple data streams, enabling hidden or additional metadata to be stored alongside the main file content without being visible in standard file listings. A common usage of ADS is the “Mark of the Web”[2] that helps to flag files as suspicious or not depending on their origin.

Continue reading Keylogger Data Stored in an ADS, (Tue, Jul 15th)→