Another day, another supposedly large scale malware attack. This time it’s called BadRabbit.
2017-10-25 : Detection methods (Windows events) 2017-10-25 : YARA rules 2017-10-25 : Removed spreading via Eternalblue 2017-10-25 : Removed Petya link
Based on the information from ESET the malware targets
transportation organizations governmental organizations media outlets Russia fewer attacks in Ukraine, Turkey and Germany
The malware is delivered via a fake Adobe Flash update (drive-by attack)
hxxp://1dnscontrol.com/flash_install.php (block this URL) hxxp://1dnscontrol.com/install_flash_player.exe (block … Read more.
KRACKs (Key Reinstallation AttaCKs) is a number of vulnerabilities in WPA2, related to key handshakes between a client and an access point.
An attacker can trick a victim into reinstalling an already-in-use key. This key (the 3rd message in a 4-way handshake) is resent multiple times by the attacker and each time installed by the client, resetting the nonce. By forcing nonce reuse in this manner, the same encryption key is used with nonce values … Read more.
I recently bought a Philips Hue light system. It allows you to control your lights via a smartphone app and set the right colour mood. Setup is easy, you connect a light bridge to your home router, connect with the app and then setup the lights. The system also includes an API to build your own apps.
In 2015 I tweeted on an episode of CSI Cyber where “good” code automagically turned green whereas “bad” … Read more.
I published an article on IBM Security Intelligence on Using a Free Online Malware Analysis Sandbox to Dig Into Malicious Code.
The article is a follow-up on an earlier post from 2015 (Comparing Free Online Malware Analysis Sandboxes) where I compare the features of different free online malware sandbox solutions, how you can extract indicators of compromise and how you should integrate them within your incident management workflow. The free malware sandbox solutions reviewed are … Read more.
Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.
I wrote a script that takes one parameter (ideally a string) and
Fetches the information that is available at Shodan for … Read more.
Somebody at $work asked me to give some more insight on Shodan, what it is and how you can put it to good use. I shared the presentation on Slideshare.
What is shodan from Koen Van Impe
Centralized logging is essential during incident response. If you can only rely on local logs then you risk losing crucial information when reconstructing the timeline of a security incident. Local logs should not be trusted during an incident as they might have been altered by an intruder. Additionally centralized logging allows you to combine different log sources into one data set for investigation.
I used a couple of centralized log solutions in the past, including … Read more.
I updated my page on WannaCry with information on the latest NotPetya ransomware attack : https://www.wannacry.be.
Kerberos is an authentication protocol that works on the basis of tickets that allows clients to connect to services over an insecure network and still allow clients to prove their identity in a secure manner.
The steps described below are a compilation of what I found when reading on Kerberos. Feel free to share your comments!
These are the steps necessary for a client to obtain an authenticated and verified request to a service (for … Read more.
A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers around … Read more.