We last discussed SSLv2 support on internet-exposed web servers about a year ago, when we discovered that there were still about 450 thousand web servers that supported this protocol left on the internet[1]. We also found that a significant portion of these servers was located in Kazakhstan, Tunisia and in the U.S.[2]
Monthly Archives: June 2024
Configuration Scanners Adding Java Specific Configuration Files, (Mon, Jun 24th)
Hunting for configuration files is one of the favorite tricks we typically see used against our honeypots. Traditionally, standard and more generic configuration files like ".env" or ".config" are the target, with some cloud-specific configuration files sprinkled in.
Video Meta Data: DJI Drones, (Sun, Jun 16th)
New NetSupport Campaign Delivered Through MSIX Packages, (Mon, Jun 17th)
It's amazing to see how attackers reuse and combine known techniques to target their victims with new campaigns! Last week, I spotted some malicious MSIX packages on VT that drop a NetSupport[1] client preconfigured to phone home to an attacker's controlled manager. Remote support tools are really "cool" for attackers because they provide a perfect way to communicate with infected computers without the need to develop their own C2 infrastructure and protocol! If some are popular and often searched as evidence of compromise, like AnyDesk or TeamViewer), there are others, like NetSupport, that tend to remain below the radar. This one is available for free for 30 days (more than enough to launch a campaign) and provides all the expected features to interact with victims:
Overview of My Tools That Handle JSON Data, (Sat, Jun 15th)
The Art of JQ and Command-line Fu [Guest Diary], (Thu, Jun 13th)
Port 1801 Traffic: Microsoft Message Queue, (Wed, Jun 12th)
I planned a bit a more conclusive story here, but after running into issues decoding the packets and running out of time between looking at student papers, I figured I would leave it up to the audience π Maybe someone here better understands the Microsoft Message Queue (MSMQ) protocol.
Microsoft Patch Tuesday June 2024, (Tue, Jun 11th)
Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today.
Attacker Probing for New PHP Vulnerablity CVE-2024-4577, (Sun, Jun 9th)
Finding End of Support Dates: UK PTSI Regulation, (Fri, Jun 7th)
One of the challenges with many IoT devices, in particular those targeting consumers and small businesses, is the ability to find how long a device is supported. This "expiration date" is becoming important as vulnerabilities are often discovered after a product no longer receives updates. In this case, users are often out of luck and left with a vulnerable device. Manufacturers will often not even acknowledge the vulnerability or provide notifications to users.