abuse.ch has recently launched a new project called “URLhaus”. URLhaus is a project with the goal of sharing malicious URLs that are being used for malware distribution. Anybody can register with a Twitter account and share malicious URLs they have detected. The system will download and analyse the payload (trying to identify it) and then […]
Continue ReadingFrom Russia with Love (and some help by Google)
Through some threat hunting on some OSINT platforms, I discovered a website hosting an image file named “image293.jpg” (6b872d1e949bd9d111168692301414bb685dc5c262ffae6f55f34c8041de0f5f VT | HA | ANY.RUN | Joe Sandbox). Trying to download the file shows that it is a redirect to Google’s short-url service goo.gl. From the link’s statistics page we can see that over 8500 redirects have been […]
Continue ReadingLinks of the Week 2018-01-04 (Meltdown & Spectre Special)
Vulnerability Site, Logo & FAQ Meltdown and Spectre CVE Numbers CVE-2017-5753 and CVE-2017-5715 => Spectre CVE-2017-5754 => Meltdown http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754 Microsoft Patch January 3, 2018—KB4056892 (OS Build 16299.192) Red Hat Article Kernel Side-Channel Attacks – CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 Google Project Zero Blog Post Today’s CPU vulnerability: what you need to know US-CERT Meltdown and […]
Continue ReadingLinks of the Week 2017-12-23
Welcome to my collection of interesting links for the week to the 2017-12-23. The links are in no particular order. Learning From Security Breaches in 2017 Preparing for the mandatory use of TLS 1.2 in Office 365 Russia’s Globex bank says hackers targeted its SWIFT computers North Korea Bitten by Bitcoin Bug: Financially motivated campaigns […]
Continue ReadingCVE-2017-0199 Exploit Builder Python Script
On Monday morning I came across a domain which has directory listening open for several subfolders. In most of the folders a Office Word document called “decoy.doc”, a PDF document named “p.doc” (yes, really), an exe and a Python script called “prothemusL_H.py” could be found: That Python script made me curious and I decided to […]
Continue ReadingExtracting Payload Urls From Office Docs With CyberChef
For several months now, Emotet has been using various Office document fields (e.g. Author, Comments) for “hiding” their PowerShell code to download the exe payload. The actors behind the malware often change little things in their code to make automated extraction of urls harder. On November 8th a friend asked me for help on a […]
Continue ReadingCompromised Arabic Domain Hosting Malicious Files
Today I came across a suspicious Word document when browsing Hybrid Analysis (which is always fun to see what is going on). The document caught my eye for the single reason that it was called “swift message 1.docx” (c07fb4ab07e439463117cd7d060109cb814d928304e8828c3884ac2b88fece78). Since I work for a bank, I always have an urge to checkout banking related stuff […]
Continue ReadingLinks of the Week 2017-07-16
Welcome to my collection of interesting links for the week to the 2017-07-16. The links are in no particular order. Detailed incident report Another day, another mass domain hijacking NemucodAES Decryptor Want to kill your IT security team? Put the top hacker in charge Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts […]
Continue ReadingLinks of the Week 2017-07-09
Welcome to my collection of interesting links for the week to the 2017-07-09. The links are in no particular order. 94 .ch & .li domain names hijacked and used for drive-by Report on July 7, 2017 incident Schedule for BSidesLV 2017 Attack on Critical Infrastructure Leverages Template Injection Broadpwn Bug Affects Millions of Android and […]
Continue ReadingLeaking Your Customer Names and Tracking Numbers
Well, this seems like a big and “major f*ckup”! A recent Kickstarter campaign has leaked all the names of backer (users that have financially supported the campaign) and all the tracking numbers. The data resides in a public Excel file on MediaFire and has over 1404 entries. They tried to identify backers that have not yet send […]
Continue Reading