I published the following diary on isc.sans.org: “Surge in blackmailing?“: What’s happening with blackmails? For those who don’t know the word, it is a piece of mail sent to a victim to ask money in return for not revealing compromising information about him/her. For a few days, we noticed a peak
I published the following diary on isc.sans.org: “Administrator’s Password Bad Practice“: Just a quick reminder about some bad practices while handling Windows Administrator credentials. I’m constantly changing my hunting filters on VT. A few days ago, I started to search for files/scripts that use the Microsoft SysInternals tool psexec. For system administrators,
Hello Readers, here is my wrap-up of the second day. Usually, the second day is harder in the morning due to the social events but, at TROOPERS, they organize the hacker run started at 06:45 for the most motivated of us. Today, the topic of the 3rd track switched from
I’m back to Heidelberg (Germany) for my yearly trip to the TROOPERS conference. I really like this event and I’m glad to be able to attend it again (thanks to the crew!). So, here is my wrap-up for the first day. The conference organization remains the same with a good venue.
I published the following diary on isc.sans.org: “Payload delivery via SMB“: This weekend, while reviewing the collected data for the last days, I found an interesting way to drop a payload to the victim. This is not brand new and the attack surface is (in my humble opinion) very restricted
I published the following diary on isc.sans.org: “CRIMEB4NK IRC Bot“: Yesterday, I got my hands on the source code of an IRC bot written in Perl. Yes, IRC (“Internet Relay Chat”) is still alive! If the chat protocol is less used today to handle communications between malware and their C2 servers, it
Everybody still reminds the huge impact that Wannacry had in many companies in 2017? The ransomware exploited the vulnerability, described in MS17-010, which abuse of the SMBv1 protocol. One of the requirements to protect against this kind of attacks was to simply disable SMBv1 (besides the fact to NOT expose
I published the following diary on isc.sans.org: “Malicious Bash Script with Multiple Features“: It’s not common to find a complex malicious bash script. Usually, bash scripts are used to download a malicious executable and start it. This one has been spotted by @michalmalik who twitted about it. I had a
I published the following diary on isc.sans.org: “The Crypto Miners Fight For CPU Cycles“: I found an interesting piece of Powershell code yesterday. The purpose is to download and execute a crypto miner but the code also implements a detection mechanism to find other miners, security tools or greedy processes
I published the following diary on isc.sans.org: “Beware of the “Cloud”“: Today, when you buy a product, there are chances that it will be “connected†and use cloud services for, at least, one of its features. I’d like to tell you a bad story that I had this week. Just
