Clik here to view.
It's in the signature., (Sun, Oct 15th)
We were contacted by a worried reader: he had found 2 seemingly identical µTorrent executables, with valid digital signatures, but different cryptographic hashes. With CCLeaner's compromise in mind,...
View ArticleWPA2 "KRACK" Attack, (Mon, Oct 16th)
Starting yesterday, word of a new attack against WPA2 started to take over security news feeds. This "Key Reinstallation Attack" (aka KRACK) can be used to substantially weaken many WPA2...
View ArticleISC Stormcast For Tuesday, October 17th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleClik here to view.
Hancitor malspam uses DDE attack, (Tue, Oct 17th)
Introduction Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16. Instead of pushing Microsoft Word documents with malicious...
View ArticleISC Stormcast For Wednesday, October 18th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleClik here to view.
Baselining Servers to Detect Outliers, (Wed, Oct 18th)
Introduction This week I came across an interesting incident response scenario that was more likely a blind hunt. The starting point was the suspicion that a breach may have occurred in one or more of...
View ArticleClik here to view.
HSBC-themed malspam uses ISO attachments to push Loki Bot malware, (Thu, Oct...
Introduction ISO files are a format used for optical disk images like CD-ROMs or DVDs. Criminals sometimes use ISO files as attachments in malicious spam (malspam) to distribute malware. Here and...
View ArticleISC Stormcast For Thursday, October 19th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleClik here to view.
Necurs Botnet malspam pushes Locky using DDE attack, (Thu, Oct 19th)
Introduction I've seen Twitter traffic today about malspam from the Necurs Botnet pushing Locky ransomware using Word documents as their attachments. These Word documents use the DDE attack technique,...
View ArticleISC Stormcast For Friday, October 20th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleUsing Yara rules with Volatility , (Fri, Oct 20th)
YARA is a tool designed to help malware researchers identify and classify malware samples. It's been called the pattern-matching Swiss Army knife for security researchers . Yarascan is a volatility...
View ArticleCisco fixes for KRACKs not complete, (Fri, Oct 20th)
Cisco has updated their advisory from earlier in the week for CVE-2017-13082, Key Reinstallation Attacks, refered to as KRACKs. It appears the original updates did not completely address the CVE. New...
View ArticleOne year Anniversary of Dyn DDOS, (Fri, Oct 20th)
Today, October 21st, marks the one year anniversary of the DDOS attack on Dyn. The attack impacted Dyn's DNS service, and caused degradation, or inavailability of several popular websites, including...
View ArticleIs a telco in Brazil hosting an epidemic of open SOCKS proxies?, (Sun,...
This is a guest diary submitted by Alan Tu. Please let us know if you like this kind of post. I became interested in how criminals and bad actors conceal the origin point of their Internet traffic....
View ArticleISC Stormcast For Sunday, October 22nd 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleISC Stormcast For Tuesday, October 24th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleClik here to view.
Stop relying on file extensions, (Tue, Oct 24th)
Yesterday, I found an interesting file in my spam trap. It was called '16509878451.XLAM’. To be honest, I was not aware of this extension and I found this on the web: "A file with the XLAM file...
View Article
BadRabbit: New ransomware wave hitting RU & UA, (Tue, Oct 24th)
About 2 hours ago, reports started to come about a new ransomware wave hitting RU Media agency Interfax, but it is extending to others in both RU and UA...
View ArticleISC Stormcast For Wednesday, October 25th 2017...
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
View ArticleDUHK attack, continuing a week of named issues, (Wed, Oct 25th)
DUHK (Don't Use Hard-coded Keys) is an attack that exploits devices that use the ANSI X9.31 Random Number Generator and have a hard-coded key. Turns out that hard-coded crypto keys are not that...
View Article