SANS Internet Storm Center – Page 11

[SANS ISC] Sensitive Data Shared with Cloud Services

Posted on January 29, 2021 by Xavier

I published the following diary on isc.sans.edu: “Sensitive Data Shared with Cloud Services“: Yesterday was the data protection day in Europe. I was not on duty so I’m writing this quick diary a bit late. Back in 2020, the Nitro PDF service suffered from a data breach that impacted many

The post [SANS ISC] Sensitive Data Shared with Cloud Services appeared first on /dev/random.

Continue reading [SANS ISC] Sensitive Data Shared with Cloud Services→

[SANS ISC] Another File Extension to Block in your MTA: .jnlp

Posted on January 22, 2021 by Xavier

I published the following diary on isc.sans.edu: “Another File Extension to Block in your MTA: .jnlp“: When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure

The post [SANS ISC] Another File Extension to Block in your MTA: .jnlp appeared first on /dev/random.

Continue reading [SANS ISC] Another File Extension to Block in your MTA: .jnlp→

[SANS ISC] Powershell Dropping a REvil Ransomware

Posted on January 21, 2021 by Xavier

I published the following diary on isc.sans.edu: “Powershell Dropping a REvil Ransomware“: I spotted a piece of Powershell code that deserved some investigations because it makes use of RunSpaces. The file (SHA256:e1e19d637e6744fedb76a9008952e01ee6dabaecbc6ad2701dfac6aab149cecf) has a very low VT score: only 1/59!. The technique behind RunSpaces is helpful to create new threads on the existing Powershell

The post [SANS ISC] Powershell Dropping a REvil Ransomware appeared first on /dev/random.

Continue reading [SANS ISC] Powershell Dropping a REvil Ransomware→

[SANS ISC] Malicious Word Document Delivering an Octopus Backdoor

Posted on December 24, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.

The post [SANS ISC] Malicious Word Document Delivering an Octopus Backdoor appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Word Document Delivering an Octopus Backdoor→

[SANS ISC] Malware Victim Selection Through WiFi Identification

Posted on December 22, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malware Victim Selection Through WiFi Identification“: Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For

The post [SANS ISC] Malware Victim Selection Through WiFi Identification appeared first on /dev/random.

Continue reading [SANS ISC] Malware Victim Selection Through WiFi Identification→

[SANS ISC] Python Backdoor Talking to a C2 Through Ngrok

Posted on December 10, 2020 by Xavier

I published the following diary on isc.sans.edu: “Python Backdoor Talking to a C2 Through Ngrok“: I spotted a malicious Python script that implements a backdoor. The interesting behavior is the use of Ngrok to connect to the C2 server. Ngrok has been used for a while by attackers. Like most

The post [SANS ISC] Python Backdoor Talking to a C2 Through Ngrok appeared first on /dev/random.

Continue reading [SANS ISC] Python Backdoor Talking to a C2 Through Ngrok→

[SANS ISC] Live Patching Windows API Calls Using PowerShell

Posted on November 25, 2020 by Xavier

I published the following diary on isc.sans.edu: “Live Patching Windows API Calls Using PowerShell“: It’s amazing how attackers can be imaginative when it comes to protecting themselves and preventing security controls to do their job. Here is an example of a malicious PowerShell script that patches live a DLL function

The post [SANS ISC] Live Patching Windows API Calls Using PowerShell appeared first on /dev/random.

Continue reading [SANS ISC] Live Patching Windows API Calls Using PowerShell→

[SANS ISC] Malicious Python Code and LittleSnitch Detection

Posted on November 20, 2020 by Xavier

I published the following diary on isc.sans.edu: “Malicious Python Code and LittleSnitch Detection“: We all run plenty of security tools on our endpoints. Their goal is to protect us by preventing infection (or trying to prevent it). But all those security tools are present on our devices like normal applications

The post [SANS ISC] Malicious Python Code and LittleSnitch Detection appeared first on /dev/random.

Continue reading [SANS ISC] Malicious Python Code and LittleSnitch Detection→

[SANS ISC] PowerShell Dropper Delivering Formbook

Posted on November 19, 2020 by Xavier

I published the following diary on isc.sans.edu: “PowerShell Dropper Delivering Formbook“: Here is an interesting PowerShell dropper that is nicely obfuscated and has anti-VM detection. I spotted this file yesterday, called ‘ad.jpg’ (SHA256:b243e807ed22359a3940ab16539ba59910714f051034a8a155cc2aff28a85088). Of course, it’s not a picture but a huge text file with Base64-encoded data. The VT score is therefore

The post [SANS ISC] PowerShell Dropper Delivering Formbook appeared first on /dev/random.

Continue reading [SANS ISC] PowerShell Dropper Delivering Formbook→