SANS.edu Internet Storm Center - SANS Internet Storm Center
SANS.edu Internet Storm Center. Today's Top Story: The Curious Case of a 12-Year-Old Netgear Router Vulnerability;
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I previously used Power BI [;2]; to analyze DShield sensor data and this time I wanted to show how it could be used by selecting certain type of data as a large dataset and export it for analysis. This time, I ran a query in Elastic Discover and exported that data to analyze it in PowerBI into a CSV format. The first step was to run a query in Discover and select the past 60 days with the following query: file.name : *
Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare vulnerabilities to determine if the system is running the extensions or to gather additional information to aid exploitation.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The March patch Tuesday looks like a fairly light affair, with only 51 vulnerabilities total and only six rated as critical. However, this patch Tuesday also includes six patches for already exploited, aka "0-Day" vulnerabilities. None of the already exploited vulnerabilities are rated as critical.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I returned from another FOR610[1] class last week in London. One key tip I give to my students is to keep an eye on "strange" API calls. In the Windows ecosystem, Microsoft offers tons of API calls to developers. The fact that an API is used in a program does not always mean we are facing malicious code, but sometimes, some of them are derived from their official purpose. One of my hunting rules for malicious scripts is to search for occurrences of the ctypes[2] library. It allows Python to call functions in DLLs or shared libraries.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Looking over some weblogs on my way back from class in Baltimore, I feel a reminder is appropriate that (a) weblogs are still a thing and (b) what some of the common webshells are that attackers are looking for.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Using the Kibana interface, sometimes it can be difficult to find traffic of interest since there can be so much of it. The 3 logs used for traffic analysis are cowrie, webhoneypot and the firewall logs. Other options to add to the honeypot are packet capture, netflow and Zeek.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Lately, attackers have gotten more creative and aggressive in trying to find various credential files on exposed web servers. Our "First Seen" page each day shows many new versions of scans for secrets files like ".env".
Just a quick update. I fixed a big bug in my mac-robber.py script about 2 weeks ago, but realized I hadn&#;x26;#;39;t published a diary about it. I didn&#;x26;#;39;t go back and figure out how this one slipped in because I&#;x26;#;39;m sure it worked originally, but it was generating bad output for soft/symbolic links. If. you are using the script, please update immediately.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The Mark of the Web (MoTW) is file metadata in Windows that marks a file that was obtained from an untrusted source.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Wireshark release 4.4.5 was released soon after 4.4.4 : it fixes a bug that makes Wireshark crash when clicking on a column title/header.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I spotted new Njrat[1] samples that (ab)use the Microsoft dev tunnels[2] service to connect to their C2 servers. This is a service that allows developers to expose local services to the Internet securely for testing, debugging, and collaboration. It provides temporary, public, or private URLs that will enable remote access to a development environment without deploying code to production. Dev tunnels create a secure, temporary URL that maps to a local service running on your machine, they work across firewalls and NAT, and their access can be restricted. This is a service similar to the good old ngrok[3].
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[This is a Guest Diary by Robin Zaheer, an ISC intern as part of the SANS.edu Bachelor&#;39;s Degree in Applied Cybersecurity (BACS) program [1].]
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
I&#;x26;#;39;ve been a big fan of Ryan Benson&#;x26;#;39;s unfurl[1] tool since he released it a little over 5 years ago. Unfurl is a tool that can parse/decode URLs including things like embedded timestamps and IP addresses. It can be run in gui form via a web browser or as a command-line tool (my preference). Well, last week, Ryan released an update to v2025.02[2,3] of unfurl and added the ability to decode BlueSky URLs (among other bugfixes). I&#;x26;#;39;ve also updated my docker container[4] to run the command-line version of unfurl as well.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Wireshark release 4.4.4 fixes 1 vulnerability (%%CVE:2025-1492%%) and 12 bugs.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Over the years, I&#;x26;#;39;ve written a number of scripts to make my life easier. One of those tools was sigs.py (which was a rewrite of an old perl script sigs.pl) to hash files. I wanted something portable that could potentially be a drop-in replacement for things like md5sum, sha1sum, etc. (and can do hashes like sha512, sha3-224, and sha3-384). I&#;x26;#;39;ve even had cases where my python script ran faster than those Linux tools. Anyway, in some recent cases I&#;x26;#;39;ve been working on, I&#;x26;#;39;ve been getting manifests with hashes and to validate that I got good copies, I wanted to verify the hashes. Sometimes I was getting md5s, sometimes, sha1s, sometimes sha256s. On Linux, md5sum, sha1sum, sha256sum, etc. have the -c switch to do the checking, but my script did not have that, so I took an hour over a weekend recently and I added that capability. The script determines which hash to use based on the length of the hash it finds in the text file, so it can check any of the hashes it can calculate.
With the Elastic released of version 8.17.0, it included "The technical preview of new MATCH and query string (QSTR) functions in ES|QL makes log searches easier and more intuitive."[1] With this released, I started exploring some of the many options available with ES|QL in Kibana [2], enabled by default, to do various types of queries to quickly summarize data, outside of the default or custom dashboards.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
While hunting, I spent some time trying to deobfuscate a malicious file discovered on VT. It triggered my PowerShell rule. At the end, I found two files that look close together:
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Protect AI's OSS portfolio includes tools aimed at improving security of AI/ML software. These tools are meant for a wide range of engineering, security and ML practitioners including developers, security engineers/researchers, ML engineers, LLM engineers and prompt engineers, and data scientists. Of particular interest in light of model serialization attacks is ModelScan.
Last week, CISA and other national cyber security organizations published an extensive document outlining "Guidance and Strategies to Protect Network Edge Devices." &#;x26;#;x5b;1&#;x26;#;x5d;&#;x26;#;xc2;&#;x26;#;xa0;The document is good but also very corporate and "bland." It summarizes good, well-intended advice that will help you secure edge devices. But reading it also made me think, "That&#;x26;#;39;s it?" Not that I expected earth-shattering advice eliminating vulnerabilities brought on by accumulating deceased worth of abandoned ware still peddled at often relatively high costs. But I don&#;x26;#;39;t know; maybe something more actionable would be helpful.&#;x26;#;xc2;&#;x26;#;xa0;
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
What do I mean by “IP volatility� Today, many organizations use cloud services and micro-services. In such environments, IP addresses assigned to virtual machines or services can often be volatile, meaning they can change or be reassigned to other organizations or users. This presents a risk for services relying on static IPs for security configurations and may introduce impersonation or data leakage issues.
I found a Python script that implements a funny anti-analysis trick. The script has a low score on VT (4/59) (SHA256:d716c2edbcdb76c6a6d31b21f154fee7e0f8613617078b69da69c8f4867c9534)&#;x26;#;x5b;1&#;x26;#;x5d;. This sample attracted my attention because it uses the tkinter&#;x26;#;x5b;2&#;x26;#;x5d; library.&#;x26;#;xc2;&#;x26;#;xa0;This&#;x26;#;xc2;&#;x26;#;xa0;library&#;x26;#;xc2;&#;x26;#;xa0;is used to create graphical user interfaces (GUIs). It provides tools to create windows, dialogs, buttons, labels, text fields, and other interactive elements, allowing developers to build desktop applications with visual interfaces in Python. Most Python scripts are intended to be executed from a command line. That&#;x26;#;39;s why I consider this library as a good sign of suspicious behavior (It does not mean that all Python scripts using this library are malicious!)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Over the past several weeks, I have been testing various enhancements to the DShield SIEM, to process DShield sensor log from local and cloud sensors with Filebeat and Filebeat modules to easily send Zeek and NetFlow logs back to a local network ELK stack via home router natting. This is a list of updates and enhancements:
Blue teams have it hard – they maintain a watchful eye on whatever technology is deployed to detect threats, respond to incidents, perform digital forensics and reverse malware (or make malware happy!) when needed. Hopefully, no one has to handle all these roles alone since there is also the continuous learning aspect of getting up to speed with the latest threat vectors, vulnerabilities and exploit techniques. Adversaries only need one attack to succeed to gain actions on objective. In contrast, defenders have to detect and stop every attack to prevent adversaries from being successful. Let's now extrapolate to an even bigger problem – what if this happens on emerging/future technologies and adversaries can get away with such crimes?
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
This month, Microsoft has released patches addressing a total of 141 vulnerabilities. Among these, 4 are classified as critical, highlighting the potential for significant impact if exploited. Notably, 2 vulnerabilities are currently being exploited in the wild, underscoring the urgency for immediate updates. Additionally, 1 vulnerability has been disclosed prior to this patch cycle, marking it as a zero-day. Users are strongly advised to prioritize these updates to safeguard their systems against potential threats.
ISC Stormcast For Tuesday, February 11th, 2025 https://isc.sans.edu/podcastdetail/9318
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
You can subscribe to this RSS to get more information