Tag Archives: SANS

Microsoft Patch Tuesday November 2023, (Tue, Nov 14th)

This post was originally published on this site

Today, Microsoft released patches for 64 different vulnerabilities in Microsoft products, 14 vulnerabilities in Chromium affecting Microsoft Edge, and five vulnerabilities affecting Microsoft's Linux distribution, Mariner. Three of these vulnerabilities are already being exploited, and three have been made public before the release of the patches. 

Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th)

This post was originally published on this site

Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks.

Visual Examples of Code Injection, (Thu, Nov 9th)

This post was originally published on this site

Code injection techniques (T1055 from MITRE[1]) is a common technique these days. It’s a nice way for an attacker to hide malicious code into a legit process. A deviation of this technique is called “Process Hollowing”[2] where code of the legit suspended process is wiped and replaced by malicious code. Code injection is performed by calling Microsoft API calls like: VirtualAllocEx(), NtUnmapViewOfSecrio(), WriteProcessMemory(), … (they are many others available)

Example of Phishing Campaign Project File, (Wed, Nov 8th)

This post was originally published on this site

We all have a love and hate relation with emails. When newcomers on the Internet starts to get emails, they are so happy but their feeling changes quickly. Then, they hope to reduce the flood of emails received daily… Good luck! Of course, tools have been developed to organize marketing campaigns. From marketing to spam or phishing, there is only one step. Bad guys started to use the same programs for malicious purpose.

What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR), (Tue, Nov 7th)

This post was originally published on this site

Collecting and analyzing DNS logs should be at the top of your agenda regarding network monitoring. Everything that happens on the network tends to be reflected in DNS, and events that do not correlate with DNS are often suspect themselves. For example, if a host connects to an IP address directly without first receiving it as a DNS response. But in recent years, DNS has moved more and more to encrypted channels. Starting with DNS over TLS (DoT), DNS over HTTPS (DoH), and lately DNS over QUIC (DoQ).

Exploit Activity for CVE-2023-22518, Atlassian Confluence Data Center and Server, (Mon, Nov 6th)

This post was originally published on this site

Last week, Atlassian published an advisory for CVE-2023-22518. The vulnerability is a trivial to exploit authentication bypass vulnerability [1]. Atlassian emphasized the importance of the advisory with a quote from its CISO: "There are no reports of active exploitation at this time; customers must take immediate action to protect their instances." On Friday, Atlassian confirmed that attackers are actively exploiting the vulnerability.

Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st)

This post was originally published on this site

It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing)

Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th)

This post was originally published on this site

The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.