Go Back > News > RSS Newsfeeds > Sources

User login

Frontpage Sponsor


For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
Installation Wizard into new VRC
Manual into existing VRC
Manual into new VRC
Total votes: 11

Baanboard at LinkedIn

Reference Content

SANS Internet Storm Center
Syndicate content SANS Internet Storm Center, InfoCON: green
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 1 hour 26 min ago

File2pcap - A new tool for your toolkit!, (Fri, May 26th)

May 26, 2017 - 7:42pm

One of ourreaders, Gebhard,submitted a pointer to a tool today, released byTalos, that I wasnt familiar with. However, when I realized it could generate packets, I had to try it out. Its called File2pcap.The concept of the tool is that instead of having to download a file and capture the traffic in order to write detection content, the tool would simulate the download and generate the traffic that you would see. You get a nice pcap in the end. I took a relatively benign phishing pdf (it had a link in it) and used it for my test. The tool doesnt have any documentation until you compile it and run it. width:600px" />

I ran afew test scenarios with it. One for HTTP and one for SMTP. For the HTTP, I used the following command line and specified a file name:

./file2pcap -mh -p 45678:8443 Wire_transfer_Notification.pdf -o httpout.pcap It shows you if its working verses just returning a command prompt:
Writing to httpout.pcap You can see by the packets, it matches the ports I told it to use: width:800px" /> Here is what it looks like when you follow the TCP stream: width:600px" /> For the SMTP I ran the following command: ./file2pcap -ms Wire_transfer_Notification.pdf -o smptout.pcap Here is the data from following the TCP stream: width:600px" />
I played with several of the options. You can also run more than one protocol in a single command line(you cant specify a file name running multiple modes, it will generate them for you): ./file2pcap -msh Wire_transfer_Notification.pdf Writing to Wire_transfer_Notification.pdf-smtp.pcap Writing to Wire_transfer_Notification.pdf-http-get.pcap This is a very handy tool to have when you need to generate packets quickly to write content for file transfer detection. Its definately one Ill add to my toolkit!

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, May 26th 2017, (Thu, May 25th)

May 26, 2017 - 12:10am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Critical Vulnerability in Samba from 3.5.0 onwards, (Thu, May 25th)

May 25, 2017 - 7:13am

Developers of Samba[1] disclosed a critical vulnerability that affects the file sharing component. Samba is a suite of tools that helps in the interoperability between UNIX with Microsoft Windows. The vulnerable component is the daemon that offers file sharing capabilities.

As reported by HD Moore on his Twitter account[2], its trivial to trigger the vulnerability(just a one-liner exploit). An attacker has to find an open SMB share (TCP/445), padding:5px 10px"> nt pipe support = no

to the [global] section of your smb.conf and restart smbd.

Samba is a very popular tool and used on many corporate networks, it is also a core component in many residential products like NAS. Many vendors could be affected (Synology, WD, Qnap, DLink, ...). Some vendors like Synology[5] already communicated about this issue and are working on a patch but others might take more time to react. Home users do not patch their products and many NAS could remain vulnerable for a long time.

As always, if you are exposing writable SMB shares for your users, be sure to restrict access to authorisedpeople/hosts and do NOT share data across the Internet. They are risks that bad guys are already scanning the whole Internet.


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, May 25th 2017, (Thu, May 25th)

May 25, 2017 - 1:00am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, May 24th 2017, (Wed, May 24th)

May 24, 2017 - 1:25am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Jaff ransomware gets a makeover, (Wed, May 24th)

May 24, 2017 - 1:05am


Since 2017-05-11, a new ransomware named Jaff has been distributed through malicious spam (malspam) from the Necurs botnet. This malspam uses PDF attachments with embedded Word documents containing malicious macros. border-width:2px" />
Shown above: Flow chart for this infection chain.

Prior to Jaff, weve seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push Locky ransomware. Prior to that, this type of malspam was pushing Dridex.

With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. With that in mind, todays diary reviews a wave of malspam pushing Jaff ransomware from Tuesday 2017-05-23.

The emails

This specific wave of malspam used a fake invoice theme. It started on Tuesday 2017-05-23 as early as 13:22 UTC and lasted until sometime after 20:00 UTC. I collected 20 emails for today border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Screenshot from one of the emails.

As stated earlier, these emails all have PDF attachments, and each one contains an embedded Word document. border-width:2px" />
Shown above: border-width:2px" />
Shown above: The embedded Word document with malicious macros.

The traffic

Follow the entire infection chain, and youll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary thats been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string Created border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Alerts on the traffic using Security Onion with Suricata and the EmergingThreats Open ruleset.

The infected Windows host

The encoded binary from this wave of malspam was stored to the users AppData\Local\Temp directory as lodockap8. Then it was decoded and stored as levinsky8.exe in the same directory. border-width:2px" />
Shown above: The users AppData\Local\Temp directory from an infected host on 2017-05-23.

On Tuesday 2017-05-23, Jaff ransomware had a makeover. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Desktop of a Windows host infected with a Jaff ransomware sample from 2017-05-23.

Encrypted files had been previously appended with the .jaff file extension. On Tuesday 2017-05-23, encrypted files from my infected host were appended with a .wlu file extension. border-width:2px" />
Shown above: Jaff decryptor from a Windows host infected on 2017-05-23.

Indicators of Compromise (IoCs)

The following are examples of email subject lines and attachment names from Tuesday 2017-05-23:

  • Subject: Invoice(00-5523) -- Attachment name: 68-5182.pdf
  • Subject: Invoice(00-5832) -- Attachment name: 72-6353.pdf
  • Subject: Invoice(08-4031) -- Attachment name: 28-3137.pdf
  • Subject: Invoice(09-5337) -- Attachment name: 98-9897.pdf
  • Subject: Invoice(19-9273) -- Attachment name: 68-6414.pdf
  • Subject: Invoice(23-0458) -- Attachment name: 53-3366.pdf
  • Subject: Invoice(27-7813) -- Attachment name: 95-1750.pdf
  • Subject: Invoice(28-3137) -- Attachment name: 68-4200.pdf
  • Subject: Invoice(53-3366) -- Attachment name: 61-7808.pdf
  • Subject: Invoice(54-9434) -- Attachment name: 78-8672.pdf
  • Subject: Invoice(61-7808) -- Attachment name: 00-5832.pdf
  • Subject: Invoice(68-4200) -- Attachment name: 98-3753.pdf
  • Subject: Invoice(68-5182) -- Attachment name: 54-9434.pdf
  • Subject: Invoice(68-6414) -- Attachment name: 27-7813.pdf
  • Subject: Invoice(72-6353) -- Attachment name: 08-4031.pdf
  • Subject: Invoice(78-8672) -- Attachment name: 23-0458.pdf
  • Subject: Invoice(88-6908) -- Attachment name: 19-9273.pdf
  • Subject: Invoice(95-1750) -- Attachment name: 00-5523.pdf
  • Subject: Invoice(98-3753) -- Attachment name: 88-6908.pdf
  • Subject: Invoice(98-9897) -- Attachment name: 09-5337.pdf

The following are examples of spoofed email senders from Tuesday 2017-05-23:


The following are examples of SHA256 hashes for the PDF attachments from Tuesday 2017-05-23:

  • 0218178eec35acad7909a413d94d84ae3d465a6ea37e932093ec4c7a9b6a7394
  • 0a326eb9a416f039be104bb5f199b7f3442515f88bd5c7ad1492b1721c174b8e
  • 21da9eeded9581f6f032dea0f21b45aa096b0330ddacbb8a7a3942a2026cc8ca
  • 4458f43127bb514b19c45e086d48aba34bf31baf1793e3d0611897c2ff591843
  • 66320f4e85e3d6bd46cf00da43ca421e4d50c2218cb57238abb2fb93bef37311
  • 7dd248652f2b42f3e1ad828e686c8ba458b6bb5b06cea46606ceccdd6b6e823c
  • 8a474cdd4c03dd4a6ba6ad8945bf22f74f2f41830203f846d5437f02292bb037
  • 956e43ece563fd46e6995fae75a0015559f0a63af5059290a40c64b906be5b9b
  • 9beb67a68396375f14099055b712e22673c9a1d307a76125186127e289ab41a2
  • b2b9c02080ae6fbe1845c779e31b5f6014ec20db74d21bd9dd02c444a0d0dd9b
  • c126e731c1c43d52b52a44567de45796147aca1b331567ed706bf21b6be936b4
  • cde2ff070e86bc1d72642cb3a48299080395f1df554e948fd6e8522579dfe861
  • daf01a1f7e34e0d47ecdfcef5d27b2f7a8b096b4e6bc67fb805d4da59b932411
  • e477300e8f8954ee95451425035c7994b984d8bc1f77b4ccf2a982bb980806fe

The following are examples of SHA256 hashes and file names for the embedded word documents from Tuesday 2017-05-23:

  • 084ee31e69053e66fafe6e1c2a69ffec015f95801ce6020f7765c56d6f3c23ff - PQQIDNQM.docm
  • 0855061389b62ec6a9b95552357ff7571ae5c034b304978a533c6cba06c3f9e8 - GYTKPVM.docm
  • 1f2598dc7a7b8f84307d8c2fa41f5550c320f8192cd41e50b47570d3836e6fcc - RNJSMOVS.docm
  • 2dbf9e1c412aa1ffd32a91043642eb9cc80772c87dbbce3dd098c57d917277fb - DLDD7LH.docm
  • 3f95a7eeb1965193a4e92862c10897e04708b37b793b8e45f890d019358214c0 - DC2ZPQ.docm
  • 56cd249ff82e9bb96a73262090bc6a299ead64d6c75161520e745c2066f22430 - KAR6WLU.docm
  • 795d8312749c122fa10a93c9f3aa1c0f4ffc081714c0ddb66c141334f8ef0633 - M4SQLA2.docm
  • 8906d10a48487d8240bddd0c0cb5c076e88104c86bdf871b0143d74b6df3cc98 - NQBCXP4.docm
  • 91aa966e837c4144a1294aa912a2162397f3a6df98cf336891d234e267cd919f - RNOHLIAFU.docm
  • 933fcc1bf90716abf7c4eaf29b520d2276df895fb4dd5a76be2a55028a4da94e - PCHLUPL.docm
  • a98782bd10004bef221e58abcecc0de81747e97910b8bbaabfa0b6b30a93b66b - Q1DOEY13.docm
  • ae244ca170b6ddc285da0598d9e108713b738034119bae09eaa69b0c5d7635f8 - TH1DZZPT.docm
  • bc0b2fbe4225e544c6c9935171a7d6162bc611a82d0c6a5f3d62a3f5df71cf8c - OLZNKWSOW.docm
  • c702deaa2fe03f188a670d46401e7db71628e74b0e5e2718a19e2944282e05cd - VUG3FBFO.docm

The following is the sample of Jaff ransomware I saw on Tuesday 2017-05-23:

The following are URLs generated by malicious macros from the embedded Word documents. Theyre used to download the encoded Jaff ransomware binary:

  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /af/fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U
  • - GET /fgJds2U

The following is post-infection traffic from my infected Windows host:

  • port 80 - - GET /a5/
  • rktazuzi7hbln7sy.onion (tor domain for the decryption instructions)

Final words

Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering.

As always, if your organization follows best security practices, youre not likely to get infected. For example, software restriction policies that deny binary execution in certain Windows directories can easily stop this infection chain. Even without software restriction policies, the intended victim receives warnings from both Adobe reader and Microsoft Word during the infection process.

So why do we continue to see this malspam on a near-daily basis? I suppose as long as its profitable for the criminals behind it, well continue to see this type of malspam. If anyone knows someone whos been infected with Jaff ransomware, feel free to share your story in the comments section.

Emails, malware samples, and pcaps associated with the 2017-05-23 Jaff ransomware malspam can be found here.

Brad Duncan
brad [at]

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

What did we Learn from WannaCry? - Oh Wait, We Already Knew That!, (Tue, May 23rd)

May 23, 2017 - 3:59pm

In the aftermath of last weeks excitement over the WannaCry malware, Ive had a lot of lessons learned meetings with clients. The results are exactly what youd expect, but in some cases came as a surprise to the organizations we met with.
There was a whole outcry about not victim shaming during and after this outbreak, and I get that, but in most cases infections were process failures that the IT group didnt know they had, these lessons learned sessions have contributed to improving the situation at many organizations.

The short list is below - affected companies had one or more of the issues below:

1/ Patch
Plain and simple, when vendor patches come out, apply them. In a lot of cases, Patch Tuesday means Reboot Wednesday for a lot of organizations, or worst case Reboot Saturday. If you dont have a test the patches process, then in a lot of cases simply waiting a day or two (to let all the early birds test them for you) will do the job. If you do have a test process, in todays world it truly needs to take 7 days or less.
There are some hosts that you wont be patching. The million dollar MRI machine, the IV pump or the 20 ton punch press in the factory for instance. But you know about those, and youve segmented them away (in an appropriate way) from the internet and your production assets. This outbreak wasnt about those assets, what got hammered by Wannacry was the actual workstations and servers, the hospital stations in admitting and emergency room, the tablet that the nurse enters your stats into and so on. Normal user workstations that either werent patched, or were still running Windows XP.

That being said, there are always some hosts that can be patched, but cant be patched regularly. The host thats running active military operations for instance, or the host thats running the callcenter for flood/rescue operations, e-health or suicide hotline. But you cant give just up on those - in most cases there is redundancy in place so that you can update half of those clusters at a time. If there isnt, you do still need to somehow get them updated on a regular schedule.

Lesson learned? If your patch cycle is longer than a week, in todays world you need to revisit your process and somehow shorten it up. Document your exceptions, put something in to mitigate that risk (network segmentation is a common one), and get Sr Management to sign off on the risk and the mitigation.

2/ Unknown Assets are waiting to Ambush You

A factor in this last attack were hosts that werent in ITs inventory. In my group of clients, what this meant was hosts controlling billboards or TVs running ads in customer service areas (the menu board at the coffee shop, the screen telling you about retirement funds where you wait in line at the bank and so on). If this had been a linux worm, wed be talking about projectors, TVs and access points today.

One and all, I pointed those folks back to the Critical Controls list ( ). In plain english, the first item is know whats on your network and the second item is know what is running on whats on your network.

If you dont have a complete picture of these two, you will always be exposed to whatever new malware (or old malware) that tests the locks at your organization.

3/ Watch the News.
.... And I dont mean the news on TV. Your vendors (in this case Microsoft) have news feeds, and there are a ton of security-related news sites, podcasts and feeds (this site is one of those, our StormCast podcast is another). Folks that watch the news knew about this issue starting back in 2015, when Microsoft started advising us to disable SMB1, then again last year (2016) when Microsoft posted their Were Pleading with you, PLEASE disable SMB1 post. We knew specifically about the vulnerabilities used by Wannacry in January when the Shadowbrokers dump happened, we knew again when the patches were released in March, and we knew (again, much more specifically) when those tools went live in April. In short, we were TOLD that this was coming, by the time this was on the TV media, this was very old news.

4/ Segment your network, use host firewalls
In most networks, workstation A does not need SMB access to workstation B. Neither of them need SMB access to the mail server or the SQL host. They do need that access to the SMB based shares on the file and print servers though. If you must have SMB version 1 at all, then you have some other significant issues to look at.
Really what this boils down to is the Critical Controls again. Know what services are needed by who, and permit that. Set up deny rules on the network or on host firewalls for the things that people dont need - or best case, set up denies for everything else. I do realize that this is not 100% practical. For instance, denying SMB between workstations is a tough one to implement, since most admin tools need that same protocol. Many organizations only allow SMB to workstations from server or management subnets, and that seems to work really nicely for them. Its tough to get sign-off on that sort of restriction, management often will see this as a drastic measure.

Disabling SMB1 should have happened months ago, if not year(s) ago.

5/ Have Backups
Many clients found out *after* they were infected by Wannacry that their users were storing data locally. Dont be that company - either enforce central data storage, or make sure your users local data is backed up somehow. Getting users to sign off that their local data is ephemeral only, that its not guaranteed to be there after a security event is good advice, but after said security event IT generally finds out that even with that signoff, everyone in the organization still holds them responsible.

All to often, backups fall on the shoulders of the most Jr staff in IT. Sometimes that works out really well, but all to often it means that backups arent tested, restores fail (we call that backing up air), or critical data is missed.

Best just to back it your data (all your data) and be done with it.

6/ Have a Plan

You cant plan for everything, but everyone should have had a plan for the aftermath of Wannacry. The remediation for this malware was the classic nuke from orbit - wipe the workstations drives, re-image and move on. This process should be crystal-clear, and the team of folks responsible to deliver on this plan should be similarly clear.

I had a number of clients who even a week after infection were still building their recovery process, while they were recovering. If you dont have an Incident Response Plan that includes widespread workstation re-imaging, its likely time to revisit your IR plan!

7/ Security is not an IT thing
Security of the assets of the company are not just an IT thing, theyre a company thing. Sr Management doesnt always realize this, but this week is a good time to re-enforce this concept. Failing on securing your workstations, servers, network and especially your data can knock a company offline, either for hours, days, or forever. Putting this on the shoulders of the IT group alone isnt fair, as the budget and staffing approvals for this responsibility is often out of their hands.

Looking back over this list, it comes down to: Patch, Inventory, Keep tabs on Vendor and Industry news, Segment your network, Backup, and have an IR plan. No shame and no finger-pointing, but weve all known this for 10-15-20 years (or more) - this was stuff we did in the 80s back when I started, and weve been doing since the 60s. This is not a new list - weve been at this 50 years or more, we should know this by now. But from what was on TV this past week, I guess we need a refresher?

Have I missed anything? Please use our comment form if we need to add to this list!

Rob VandenBrink

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Infocon: green

May 23, 2017 - 1:45pm
ISC Stormcast For Tuesday, May 23rd 2017
Categories: Security

ISC Stormcast For Tuesday, May 23rd 2017, (Tue, May 23rd)

May 23, 2017 - 2:00am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL, (Mon, May 22nd)

May 22, 2017 - 9:53pm

A reader sent us an interesting find of a phishing site that is going after Uber credentials. Uber credentials are often stolen and resold to obtain free rides. One method the credentials are stolen is phishing. The latest example is using convincing looking Uber receipt emails. These emails feature a prominent link to then requests the users Uber credentials to log in. Overall, the site uses the expected Uber layout. But more: The site uses a valid SSL certificate.

Turns out that the site was hosted behind a Cloudflare proxy. Cloudflare does issue free SSL certificates, and just like most certificate authorities, it only requires proof of domain ownership to obtain this service. This does make it more difficult to distinguish a fake site from the real thing.

Now by the time I started to investigate this, the original site was already taken down. But there was still some evidence left to see what happened. First of all, passive DNS databases did record the IP address of the site, which pointed to Cloudflare. Secondly, when searching certificate transparency logs, it was clear that a certificate for this site was issued to Cloudflare. Like for all Cloudflare certificates, the certificate was valid for a long list of hostnames hosted by Cloudflare. Sadly, it looks like whois history sites like Domaintools have no record of the site, so we do not know when it was exactly registered, but likely just before the domain started to get used.

Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Monday, May 22nd 2017, (Mon, May 22nd)

May 22, 2017 - 1:20am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Typosquatting: Awareness and Hunting, (Sat, May 20th)

May 20, 2017 - 7:01am

Typosquatting has been used for years to lure victims You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was Be honest, at the first time, you read right? This domain was registered in 1997 butit has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes its difficult to detect rogue domains due to the font used to display them. Anl looks like a 1 or a 0 looks like an O.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Lets put the malware aside and focus on the domain name that was used: a double L).

A quick check reveals that this domain is hopefully owned by DHL (not DHL Express but the Deutsche Post DHL padding:5px 10px"> Domain Name: Registry Domain ID: 123181256_DOMAIN_COM-VRSN Registrar WHOIS Server: Registrar URL: Updated Date: 2016-09-23T04:00:10-0700 Creation Date: 2004-06-22T00:00:00-0700 Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited ( Domain Status: clientTransferProhibited ( Domain Status: clientDeleteProhibited ( Registry Registrant ID: Registrant Name: Deutsche Post AG Registrant Organization: Deutsche Post AG Registrant Street: Charles-de-Gaulle-Strasse 20 Registrant City: Bonn Registrant State/Province: - Registrant Postal Code: 53113 Registrant Country: DE Registrant Phone: +49.22818296701 Registrant Phone Ext: Registrant Fax: +49.22818296798 Registrant Fax Ext: Registrant Email: Registry Admin ID:Admin Name: Domain Administrator Admin Organization: Deutsche Post AG Admin Street: Charles-de-Gaulle-Strasse 20 Admin City: Bon Admin State/Province: - Admin Postal Code: 53113 Admin Country: DE Admin Phone: +49.22818296701Admin Phone Ext: Admin Fax: +49.22818296798 Admin Fax Ext: Admin Email: Registry Tech ID: Tech Name: Technical Administrator Tech Organization: DHL Tech Street: 8701 East Hartford Drive Tech City: Scottsdale Tech State/Province: AZ Tech Postal Code: 85255 Tech Country: US Tech Phone: +1.4089616666 Tech Phone Ext: Tech Fax: - Tech Fax Ext: Tech Email: Name Server: Name Server: DNSSEC: unsigned

The zone is also hosted on the DHL name servers. Thats a good point that DHL registered potentially malicious domains but... if you do this, dont only park the domain, go further and really use it! Its not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: or donot resolve to an IP address. If you register such domains, create a website and make them pointto it and log whos visiting the fake page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the domain. Like with the web traffic, build a spam trap to collect all messages that are sent to * doing this, you will capturetraffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catchall the non-delivery receipts in the spam trap.

Finally, addan SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns.

To conclude, registering domain names derived from your companys name is the first step but dont just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful padding:5px 10px"> # docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip _ _ _ _ __| |_ __ ___| |___ _(_)___| |_ / _` | _ \/ __| __\ \ /\ / / / __| __| | (_| | | | \__ \ |_ \ V V /| \__ \ |_ \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01} Fetching content from: ... 200 OK (396.3 Kbytes) Processing 56 domain variants ................ 48 hits (85%) Original* States SSDEEP:100% Bitsquatting Bitsquatting - Bitsquatting - Bitsquatting States Bitsquatting States MX:localhost Bitsquatting Kong Bitsquatting States Bitsquatting States Bitsquatting States Bitsquatting Bitsquatting Bitsquatting Homoglyph States Homoglyph States Homoglyph States Homoglyph States Homoglyph States Homoglyph Islands Hyphenation States 2400:cb00:2048:1::6818:7c86 Hyphenation States MX:localhost Insertion States Insertion Insertion Insertion - Insertion States Insertion States Insertion States Insertion States Insertion States Insertion States Insertion Insertion - Omission Omission States Omission States Repetition Kong Repetition - Repetition States Replacement States Replacement Replacement States Replacement States Replacement Replacement - Replacement States Replacement Replacement States Replacement States Replacement States Replacement States Subdomain - Subdomain - Transposition States Transposition Various States


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Friday, May 19th 2017, (Fri, May 19th)

May 19, 2017 - 3:25am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

My Little CVE Bot, (Thu, May 18th)

May 18, 2017 - 7:55am

The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement and... apply!Thats why any help is welcome to know what to patch and when. This is the key:

  • What to patch? What are the applications/appliancesthat are deployed in your infrastructure?
  • When to patch? When are new vulnerabilities discovered?

The classification of vulnerabilities is based on the CVE (or Common Vulnerabilities and Exposures) standard maintained by[1]. To explain briefly, when a security researcher or a security firm finds a new vulnerability, a CVE number is assigned to it (CVE-YYYY-NNNNN). The CVE contains all the details of the vulnerability (which application/system is affected, the severity and many more information). As an example, the vulnerability exploited by WannaCry was %%cve:2017-0143%%.

Those CVE are stored in open databases and many organisations are using them and provide online services like[2]. There are plenty of them that offer almost all the same features but they don width:700px" />

Based on cve-search, I can provide details about new CVEs to my customers or any other organisationsjust by querying the database. Indeed, reading the daily flow of CVE is difficult and useless for many people. They have to focus on what affect them. To help them, Im using a quick padding:5px 10px"> email_contact | days_to_check | output_format | product_definition [ | product_definition ] ...

The script will parse this config file and search for new CVE for each product definition. Results will be sent via email to the specified address.

As I width:700px" />

Of course, the main requirement is to know what you are using on your infrastructure. The information used in the config file describes the products is based on the CPE standard[6] which categorisesapplications, operating systems and hardware devices. This information can be found byNmap. An alternative is touse the following tool on your own network (only!): cve-scan[7]. It scans hosts and searches for vulnerabilities in thecve-search database.

My script is available on my GitHubrepository[5].


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Thursday, May 18th 2017, (Thu, May 18th)

May 18, 2017 - 5:05am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

Wait What? We don?t have to change passwords every 90 days?, (Wed, May 17th)

May 17, 2017 - 10:56pm

/. Recently published a post covering a draft NIST Standard that is in review [1]. This handler thought it would cause a disturbance in the force, but so far no one is discussing it. One of the big stand out changes is no more periodic password changes [2]. There are several others as well, and CSO Online has a fantastic summary review [3].

There are some clear differences that stand out right away in the introduction. As with most things, standards evolve as we learn.

padding:5px 10px"> Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network. This recommendation provides technical guidelines to agencies to allow an individual person to remotely authenticate his/her identity to a Federal Information Technology (IT) system. [4]

Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject. In other words, accessing a digital service may not mean that the physical representation of the underlying subject is known. [2]

The new draft goes on from there to outline digital identity and attempts to clearly define access and uses more risk based language.

One clear change that will shock users is the removal of periodic password changes. The handlers agree that a strong review of this draft is in order for security professionals as we can hear the users now:

Wait, you have been forcing me to change my passwords ALL THIS time, and now your saying it is not needed?

Another section that should be reviewed and discussed deeply is 5.2.7 Verifier Compromise Resistance. According to the section there should be some mechanism to verify compromise resistance. One could interpret this to run passwords against breached credential databases, however this is not specifically called out [2] [3].

In conclusion, this standard is a strong deviation from previous recommendations and should be reviewed for impact to your security practice. (There is that disturbance in the force we were looking for).





(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

ISC Stormcast For Wednesday, May 17th 2017, (Wed, May 17th)

May 17, 2017 - 4:10am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

WannaCry? Do your own data analysis., (Tue, May 16th)

May 16, 2017 - 11:01pm

In God we trust. All others must bring data. ~Bob Rudis

With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and software environment for statistical computing and graphics. If ever you wanted to pick up a bit of immediately useful programming, R is for you.

Our good friends over at Team Cymru tweeted out a great GitHubGist WannaCry factsheet, therein are a number of useful resources, many leading to other good reads. I easily tracked down a list of malicious IPs associated with WannaCry.

width:686px" />

You can always learn interesting insights from IPs and this situation is no different. In very few lines of R, we can identify and visualize the data for further insight. Ill walk you through it. First, lets pull in the libraries we need to do some IP geolocation, create a word cloud, and make said word cloud more color rich, and make a nice plot.


We need to then read in Maxmind data (GeoLite2-Country) and call Oliver Key and @hrbrmstrs rgeolocate package

file - system.file(extdata,GeoLite2-Country.mmdb, package = rgeolocate)

Follow that with our malicious WannaCry IP addresses.

ips - c(,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Finally, we pull it all together and receive our first results file.

results - maxmind(ips, file, c(continent_name, country_code, country_name width:328px" />

And in one fell swoop, we create a word cloud from our data.

wordcloud(results$country_name, max.words = 100, min.freq = 1, random.order = FALSE, rot.per=0.35, colors=brewer.pal(8, Dark2 width:267px" />

Hmm, looks like most of the malicious IPs are in Germany. :-)

Prefer to visualize that a different way? No problem, well run a quick count and use plotH to create a scatterplot with histogram-like bars.

ct - count(results$country_name)
plotH(freq~x,data=ct,ylab=Frequency,xlab=Country,col=blue width:434px" />

Give it a try for yourself. When events such as WannaCry have you frustrated and down, you can at least take data-driven security analysis in your own hands.

Resources for this article:

Categories: Security

ISC Stormcast For Tuesday, May 16th 2017, (Tue, May 16th)

May 16, 2017 - 4:10am
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th)

May 15, 2017 - 11:30pm
Update New Kill Switch Confirmed:

kill switch: ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com



After a consensus among the handlers we are moving infocon back to green. We will continue to monitor and update this situation as as it evolves. Please keep the reports and observations flowing in! We will leave the diaries on WannaCry up for another few hours then move back to regular posts.

If you have not seen, Dr J put together an excellent presentation ( this situation, and we have a Slack Dshield channel (Slack) that you can join the real-time chatter.

@packetalien Handler on Duty

The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow].

A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft].

At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered acorporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component.

The malware will first check if it can reach a specific website at

It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different kill switches. But all current versions check a website and check for registry keys. Rendition Infosec released a Tearst0pper tool that can be used to set the registry entries. [tearst0pper]

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the users private key needs to be decrypted, which requires the malware authors private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password WNcry@2ol7 is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame]

Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys.

We expect to reduce the Infocon back to green on Monday.

What Can You do to prevent Infection?

  • Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
  • Apply Fridays patch to Windows XP or Window Server 2003.
  • Verify correct patch application
  • Make sure the kill switch domain and website is reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.
  • Deploy the registry key inoculation [tearst0pper]
  • Disable SMBv1 [msftsmbv1]
  • Make sure systems are running up to date anti-malware

Indicators of Compromise:

PowerPoint for Presentations to Management

Friday SANS Webcast with technical details












Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security

All times are GMT +2. The time now is 16:11.

©2001-2017 - -