It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing)

The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.

This week, I'm teaching FOR610 in Manchester, and while my students are busy resolving some challenges, I'm looking at my hunting results from the previous days. I found an interesting sample. The file was delivered via an email with a URL pointing to a well-known file-sharing service: hxxps://www[.]Mediafire[.]com/file/o3m15ydxnhlm9w0/New+Purchase+Order+pdf.tgz/file. The file is not available anymore, but I was able to find it back on VirusTotal: "New Purchase Order pdf.tgz" (SHA256:7f351b32e6209496ef59c511dffaf9312508b53e476b1e77171af3d433b94087[1]) with a low score of 3/54.

It should be pretty easy to validate an IP address. IPv4 addresses are 32-bit unsigned integers, and IPv6 addresses are 128-bit unsigned integers. Things get "interesting" when developers attempt to validate IP addresses as a string. There have been a few interesting vulnerabilities around this issue (CVE-2021-28918, CVE-2021-29921, CVE-2021-29418).

Apple released iOS, iPadOS, macOS, tvOS, and Safari updates today. The iOS/macOS updates go back two "generations". This is particularly important for iOS 15, which now receives a patch for CVE-2023-32434, a vulnerability already exploited against earlier versions of iOS. This is also the only issue addressed for these earlier iOS versions.

I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6.

VMware released advisories VMSA-2023-0021 and VMSA-2023-0022 that have been rated as important. They are as follows:

There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal. 

Spam and phishing SMS messages (sometimes called "smishing") have been problematic in recent years. These messages often bypass security controls and are more challenging to identify as malicious by users. Moreover, they can be just simply annoying.

While reviewing my DShield honeypot logs, I noticed for the first time something strange in my list of Top Username & Password where several domain name were use as password. Initially, I was under the impression this might be a parsing error by Logstash and decided to review the raw logs to make sure it was parsed correctly to confirm data integrity. Since username and passwords isn't something submitted to DShield, I reviewed my own raw logs to confirm the data was accurate and reviewed the capture rate of username/password combination for the past few weeks: