News Feeds
SANS Internet Storm Center, InfoCON: green
SANS Internet Storm Center - Cooperative Cyber Security Monitor

SANS Internet Storm Center, InfoCON: green
  • Quick analysis of malware created with NSIS, (Sun, May 27th)
    Reader Ruben submitted a malicious executable (MD5 905a5167b248647ce31d57d241aacd63):

  • Capture and Analysis of User Agents, (Sun, May 27th)
    ISC collects web logs which also includes User-Agents. If you are running a honeypot or a web server, it is fairly easy to quickly use some Regex to parse the logs and get a count of what is most commonly seen. This is some of the activity I have observed over the past week, some well know user-agent associated with valid browser versions and some custom that are telltale to hacking tools:

  • Antivirus Evasion? Easy as 1,2,3, (Fri, May 25th)
    For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products. Such of them are quite complex. And sometimes, we find documents that have a very low score on VT. Here is a sample that I found (SHA256: bac1a6c238c4d064f8be9835a05ad60765bcde18644c847b0c4284c404e38810). It gets a score of 6/59[1] which is not bad (from an attacker perspective). Is it a targeted attack? A new ‚€œAPT‚€ (buzzword!), not really‚€¶

  • ISC Stormcast For Friday, May 25th 2018, (Fri, May 25th)

  • "Blocked" Does Not Mean "Forget It", (Thu, May 24th)
    Today, organisations are facing regular waves of attacks which are targeted... or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of daily generated information, most of the time, we don't care for them once they have been blocked. A perfect example is blocked emails. But ‚€œblocked‚€ does not mean that we can forget them, there is still valuable information in those data.