Another day, another phish. This day it concerns a phishing e-mail for a Belgian bank. The phishing e-mail looked like this The link is only viewable if you enable HTML content in the e-mail client.
The link points to the URL shortening service Bitly and then follows a couple of redirects (including another URL shortening service).
bitly.com, via HTTPS, received 301 Moved Permanently; go2l.ink, via HTTP, received 302 FOUND; A PHP page … Read more.
You are running a MISP instance and you want to visualize the MISP events in real-time?
MISP-Dashboard can do that! An example :
Vimeo video :
In this post I will walk you through how to setup MISP-Dashboard, based on the event data made available via botvrij.eu.
MISP-Dashboard is a new repository showing live data and statistics from the MISP ZMQ. It means you need to have MISP-ZMQ configured.
The MISP ZeroMQ plugin … Read more.
I attended SANS FOR610: Reverse-Engineering Malware instructed by Jess Garcia in Copenhagen (Sep-17). I’m now studying for certification and using captured malware samples for doing exercises. In this post I go through
Using public (OSINT) information; Behavioural analysis with sandboxes (via a public malware sandbox); Malicious Office documents.
Note that the purpose of the exercise is not to understand in detail every line of code in the malware. The analysis is done from an incident … Read more.
I published an article on IBM Security Intelligence on Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise.
The articles covers how you can consume indicators of compromise (IOC) received via manual sharing. Although automatic sharing is preferred not all organisations have the resources to setup automatic sharing. Manual sharing is then a good fallback compared to not sharing at all.
The steps include source and content verification, context verification, sharing properties, … Read more.
Mid 2014 Symantec released a report on a threat actor Dragonfly targeting energy companies. Early September 2017 Symantec released an updated report on Dragonfly v2 where they describe that the threat actor shifted their attention from merely observing the environment to having remote access to the environment of energy providers.
This shift could indicate that the threat actor has a changed objective, from monitoring to actually intervening and potentially conducting sabotage.
I created two mindmaps … Read more.
Shodan is a powerful tool for doing passive reconnaissance. It’s also a great source of information that you can put to good use to monitor your publicly available assets. Shodan acts as a search engine (also see: : What is Shodan.io?), whatever that is connected to the internet will get indexed by their crawlers.
I wrote a script that takes one parameter (ideally a string) and
Fetches the information that is available at Shodan for … Read more.
I updated my page on WannaCry with information on the latest NotPetya ransomware attack : https://www.wannacry.be.
Both Dragos and ESET released two reports on the analysis of malware attacking power grids.
According to Dragos the adversary group labeled as ELECTRUM is responsible for the cyber attack on the Ukraine electric grid in 2016.
I created a mindmap based on the info in the Dragos document. It’s available on https://github.com/cudeso/tools/tree/master/CRASHOVERRIDE
https://www.us-cert.gov/ncas/alerts/TA17-163A https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf https://dragos.com/blog/crashoverride/
I compiled a list of -hopefully- useful tips and help for dealing with the WannaCry ransomware. I try to keep the page updated as soon as new information is available.
See https://www.wannacry.be/. Feedback is welcome!
A major wave of ransomware called WannaCry / Wcry / WannaCrypt has hit many organizations around the world, causing panic among many users, system administrators and security professionals. The details of the ransomware have been covered in detail at other posts
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware Player 3 Has Entered the Game: Say Hello to ‘WannaCry’ Massive outbreak of ransomware variant infects large amounts of computers around … Read more.