Phishing website using imgur images as background

Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this The link is only viewable if you enable HTML content in the e-mail client.

The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service)., via HTTPS, received 301 Moved Permanently;, via HTTP, received 302 FOUND; A PHP pageRead more.

MISP-Dashboard, real-time visualization of MISP events

You are running a MISP instance and you want to visualize the MISP events in real-time?

MISP-Dashboard can do that! An example :

Vimeo video :

In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via

MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.

The MISP ZeroMQ pluginRead more.

What I learned by attending FOR610: Reverse-Engineering Malware / part 1

I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through

Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.

Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incidentRead more.

Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise

I published an article on IBM Security Intelligence on Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise.

The articles covers how you can consume indicators of compromise (IOC) received via manual sharing. Although automatic sharing is preferred not all organisations have the resources to setup automatic sharing. Manual sharing is then a good fallback compared to not sharing at all.

The steps include source and content verification, context verification, sharing properties,Read more.

Dragonfly v2 : Mindmap on energy sector targeted by sophisticated attack group

Mid 2014 Symantec released a report on a threat actor Dragonfly targeting energy companies. Early September 2017 Symantec released an updated report on Dragonfly v2 where they describe that the threat actor shifted their attention from merely observing the environment to having remote access to the environment of energy providers.

This shift could indicate that the threat actor has a changed objective, from monitoring to actually intervening and potentially conducting sabotage.

I created two mindmapsRead more.

Monitor your public assets via Shodan

Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is, whatever that is connected to the internet will get indexed by their crawlers.

I wrote a script that takes one parameter (ideally a string) and

Fetches the information that is available at Shodan forRead more.

NotPetya / ExPetr information

I updated my page on WannaCry with information on the latest NotPetya ransomware attack :


Both Dragos and ESET released two reports on the analysis of malware attacking power grids.

According to Dragos the adversary group labeled as ELECTRUM is responsible for the cyber attack on the Ukraine electric grid in 2016.

I created a mindmap based on the info in the Dragos document. It’s available on

WannaCry / Wcry / WannaCrypt help / advice

I compiled a list of -hopefully- useful tips and help for dealing with the WannaCry ransomware. I try to keep the page updated as soon as new information is available.

See Feedback is welcome!

What could have limited the impact of the WannaCry / Wcry / WannaCrypt ransomware?

A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts

Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers aroundRead more.