I published the following diary on isc.sans.edu: “Malicious PowerShell Compiling C# Code on the Fly“: What I like when hunting is to discover how attackers are creative to find new ways to infect their victim’s computers. I came across a Powershell sample that looked new and interesting to me. First,
During this summer, I went to SANSFire, Defcon and BSidesLV. Usually, the month of September is lighter without big events for me. This is to prepare for the next wave of conferences ahead! Of course, BruCON will be held on the first week of October but, especially, Hack.lu which remains one of my favourite
I published the following diary on isc.sans.edu: “Crypto Mining Is More Popular Than Ever!“: We already wrote some diaries about crypto miners and they remain more popular than ever. Based on my daily hunting statistics, we can see that malicious scripts performing crypto mining operations remain on top of the
I published the following diary on isc.sans.edu: “3D Printers in The Wild, What Can Go Wrong?“: Richard wrote a quick diary yesterday about an interesting information that we received from one of our readers. It’s about a huge amount of OctoPrint interfaces that are publicly facing the Internet. Octoprint is
I published the following diary on isc.sans.org: “Microsoft Publisher Files Delivering Malware“: Attackers are always searching for new ways to deliver malicious content to their victims. A few days ago, Microsoft Publisher malicious files were spotted by security researchers[1]. Publisher is a low-level desktop publishing application offered by Microsoft in
I published the following diary on isc.sans.org: “Simple Phishing Through formcrafts.com“: For a long time, moving services to the cloud has been a major trend. Many organizations jumped into the cloud because it’s much easier and cost less money (in terms of maintenance, licence, electricity, etc). If so, why should bad
I published the following diary on isc.sans.org: “Malicious DLL Loaded Through AutoIT“: Here is an interesting sample that I found while hunting. It started with the following URL: hxxp://200[.]98[.]170[.]29/uiferuisdfj/W5UsPk.php?Q8T3=OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5 The value of the parameter (‘OQlLg3rUFVE740gn1T3LjoPCQKxAL1i6WoY34y2o73Ap3C80lvTr9FM5’) is used as the key to decode the first stage. If you don’t specify it,
I’m proud to have been selected to give a training at DeepSec (Vienna, Austria) in November: “Hunting with OSSEC“. This training is intended for Blue Team members and system/security engineers who would like to take advantage of the OSSEC integration capabilities with other tools and increase the visibility of their infrastructure behaviour.
A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It’s about a vulnerability affecting almost ALL SSH server version. Quoted from the initial message; It affects all operating systems, all OpenSSH versions (we went back as far as OpenSSH 2.3.0, released
I published the following diary on isc.sans.org: “Truncating Payloads and Anonymizing PCAP files“: Sometimes, you may need to provide PCAP files to third-party organizations like a vendor support team to investigate a problem with your network. I was looking for a small tool to anonymize network traffic but also to
