This post was originally published on this site

Adobe released a patch for a critical vulnerability in Flash Player [1]. According to Adobe, details about the vulnerability have already been made public. Succesful exploitation does allow arbitrary code execution. Widespread exploitation may be imminent. This is of course, in particular, worrying ahead of the long weekend (in the US) with many IT shops running on a skeleton crew. Try to patch this before you head out on Wednesday, or maybe the weekend shift can take care of it.

Of course, over the weekend you may be asked to look at issues with relative’s systems. I recommend that you first apply all patches, including this one, then disable Flash. By first patching, and later disabling, you increase your chances of a patched version being installed once the user decides to re-enable Flash.

Google Chrome and Microsoft’s Edge browser also need to be updated. Both include Flash by default and are vulnerable.

[1] https://helpx.adobe.com/security/products/flash-player/apsb18-44.html

 

—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

VMware notified us that they released a new security bulletin[1] (rated as “critical”) which affects vSphere Data Protection (VDP).

VDP is vulnerable because it is based on Dell EMC Avamar Virtual Edition. Multiple vulnerabilities have been disclosed today in this solution:

• A remote code execution vulnerability (%%cve:2018-11066%%): A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
• An open redirection vulnerability (%%cve:2018-11067%%): A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.

Patches are available for both products.

This is a perfect example of how a product ‘A’ can affect a product ‘B’ when technologies are reused across multiple solutions.

[1] https://www.vmware.com/security/advisories/VMSA-2018-0029.html
[2] https://seclists.org/fulldisclosure/2018/Nov/49

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

Cortex is a tool part of the TheHive project[1]. As stated on the website, it is a “Powerful Observable Analysis Engine”. Cortex can analyze observables like IP addresses, emails, hashes, filenames against a huge (and growing) list of online services. I like the naming convention used by Cortex. We have “observables” that can be switched later to an “IOC” later if they are really relevant for us. Keep in mind that an interesting IOC for you could be totally irrelevant in another environment.

What makes Cortex so powerful and convenient is the long list of “analysers” (that’s how they call the plugins). Though those small pieces of code, you can, in one click, search for observables in many sources. Cortex is available through a web interface but its REST API makes it easy to interconnect with other tools to enrich the data. Two popular tools that can interact with Cortex are MISP[2] and TheHive[3]. From their web interface, I can easily enrich data using the following analyzers (they are enabled in my own instance of TheHive):

• Abuse_Finder_2_0
• CIRCLPassiveDNS_2_0
• CIRCLPassiveSSL_2_0
• Censys_1_0
• Cymon_Check_IP_2_1
• DShield_lookup_1_0
• DomainTools_ReverseIP_2_0
• DomainTools_ReverseNameServer_2_0
• DomainTools_ReverseWhois_2_0
• DomainTools_Risk_2_0
• DomainTools_WhoisHistory_2_0
• DomainTools_WhoisLookup_2_0
• DomainTools_WhoisLookup_IP_2_0
• EmlParser_1_0
• FileInfo_3_0
• Fortiguard_URLCategory_2_0
• HybridAnalysis_GetReport_1_0
• MISPWarningLists_1_0
• MISP_2_0
• MaxMind_GeoIP_3_0
• Msg_Parser_2_0
• OTXQuery_2_0
• Onyphe_Forward_1_0
• Onyphe_Geolocate_1_0
• Onyphe_Ports_1_0
• Onyphe_Reverse_1_0
• Onyphe_Threats_1_0
• PassiveTotal_Enrichment_2_0
• PassiveTotal_Malware_2_0
• PassiveTotal_Osint_2_0
• PassiveTotal_Passive_Dns_2_0
• PassiveTotal_Ssl_Certificate_Details_2_0
• PassiveTotal_Ssl_Certificate_History_2_0
• PassiveTotal_Unique_Resolutions_2_0
• PassiveTotal_Whois_Details_2_0
• Robtex_Forward_PDNS_Query_1_0
• Robtex_IP_Query_1_0
• Robtex_Reverse_PDNS_Query_1_0
• Shodan_Host_1_0
• Shodan_Search_1_0
• URLhaus_1_0
• VirusTotal_GetReport_3_0
• VirusTotal_Scan_3_0
• WOT_Lookup_1_0

Writing new analyzers is very simple, an API is provided and any language can be used (by most of them are written in Python). Some analyzers query open services, others query private services (you need an API) or commercial services (you need a subscription). As you can see, there is an analyzer called “DShield_lookup”. That’s my contribution to the project. From Cortex, MISP, TheHive, you can query our DShield database to get more information about an IP address:

When if you click on the DShield tag, you can more details:

The DShield analyzer has been added to the official repository by the developers a few weeks ago. Just deploy Cortex and enable it to benefit from our DShield database!

[1] https://thehive-project.org/#section_cortex
[2] http://misp-project.org/
[3] https://thehive-project.org/#section_thehive

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This post was originally published on this site

How do you manage your digital library on a daily basis? If like me, you are receiving a lot of emails, notifications, tweets, [name your best technology here], they are chances that you’re flooded by tons of documents in multiple formats. This problem is so huge that, if I’m offline for a few days or too busy to handle the information in (almost) real time, it costs me a lot of extra time to process the waiting queue. While surfing, there are also a lot of documents that are not immediately useful but “could be”. Do you also have a bad feeling when you delete a document “that could be very interesting in the future?”. In fact, it’s like people who store everything in their home and that can’t trash them.

Here is a small list of data that I like to keep:

• Emails (from mailing lists)
• Tweets
• PDF/papers from security conferences
• Studies, white papers
• Software, firmware, …
• Configuration samples
• Collected data (pasties, DB dumps, Darkweb data, screenshots, …)

With electronic documents, we also have another dilemma: which kind of storage? Local or in the cloud? It’s easy to store documents in the cloud. They are indexed, they are available from everywhere. Plenty of tools and services provide this but… for how long? What if you upload a few TB of data in the cloud and the service disappear? Local storage has also caveats: how to handle the amount of data across years? How to backup? How to migrate to new or more powerful technologies? How to manage your NAS, patch them, etc.

Today, I still did not found the best way to complete this task. What I’m using at the moment:

• Splunk to index tweets, emails
• Evernote for documents (including PDF)
• Local NAS
• Cloud services with buckets like B2, C2, Amazon for long retention of data files
• Private Gitlab for configuration files, lists, pieces of code

And you? How do you manage your digital library? Please share your stories!

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.