Hack.lu 2023 Wrap-Up
Xavier Mertens Blog
by Xavier
5M ago
[Edit: Sorry for the “bullet-point” style, it was a lot of details to compile in this blog post] We were back at the Alvisse Parc Hotel after a break of four years! In 2022, only a light CTI summit was organized (see my wrap-up), but this year, hack.lu was back with a new format: Two days dedicated to CTI and two other days dedicated to normal talks around security. The proposed format for the talks was a 30-minute slot per speaker. This means more presentations but also a strong flow of information to collect. Here is a quick wrap-up of the four days. The very first speaker was Ange Albertini ..read more
Visit website
[SANS ISC] macOS: Who’s Behind This Network Connection?
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “macOS: Who’s Behind This Network Connection?“: When you must investigate suspicious behavior or work on an actual incident, you could be asked to determine who’s behind a network connection. From a pure network point of view, your firewall or any network security control device/app will tell you that the source is the connection is host « A », « B » or « C ». But investigating further how to discover who or which process is the source of the connection (now, at the operating system level)… [Read more] The p ..read more
Visit website
[SANS ISC] Python Malware Using Postgresql for C2 Communications
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “Python Malware Using Postgresql for C2 Communications“: For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks… I found a malicious Python script that is pretty well obfuscated. The applied technique reduces its VT  score to 6/60! It’s based on a mix of Based64- and Hex-encoded data… [Read more] The post [SANS ISC] Python Malware Using Postgresql ..read more
Visit website
[SANS ISC] More Exotic Excel Files Dropping AgentTesla
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “More Exotic Excel Files Dropping AgentTesla”: Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry… [Read morehttps://isc.sans.edu/diary/More%20Exotic%20Excel%20Files%20Dropping%20AgentTesla/30150] The post [SANS ISC] More Exotic Excel Files Dropping AgentTesla appeared first on /dev/random ..read more
Visit website
[SANS ISC] Have You Ever Heard of the Fernet Encryption Algorithm?
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “Have You Ever Heard of the Fernet Encryption Algorithm?“: In cryptography, there is a gold rule that states to not develop your own algorithm because… it will be probably weak and broken! They are strong algorithms (like AES) that do a great job so why reinvent the wheel? However, there are projects that try to develop new algorithms. One of them is Fernet, described like this… [Read more] The post [SANS ISC] Have You Ever Heard of the Fernet Encryption Algorithm? appeared first on /dev/random ..read more
Visit website
[SANS ISC] Quick Malware Triage With Inotify Tools
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “Quick Malware Triage With Inotify Tools“: When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It’s impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my “Malware Zoo” where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the “dangerous files” in a central location and avo ..read more
Visit website
[SANS ISC] From a Zalando Phishing to a RAT
Xavier Mertens Blog
by Xavier
7M ago
Today, I published the following diary on isc.sans.edu: “From a Zalando Phishing to a RAT“: Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time I saw them used in a phishing campaign… [Read more] The post [SANS ISC] From a Zalando Phishing to a RAT appeared first on /dev/random ..read more
Visit website
[SANS ISC] Show me All Your Windows!
Xavier Mertens Blog
by Xavier
8M ago
Today, I published the following diary on isc.sans.edu: “Show me All Your Windows!“: It’s a key point for attackers to implement anti-debugging and anti-analysis techniques. Anti-debugging means the malware will try to detect if it’s being debugged (executed in a debugger or its execution is slower than expected). Anti-analysis refers to techniques to detect if the malware is detonated in a sandbox or by a malware analyst. In such cases, tools run in parallel with the malware to collect live data (packets, API calls, files, or registry activity)… [Read more] The post [SANS ISC] Show me All Yo ..read more
Visit website
[SANS ISC] Are Leaked Credentials Dumps Used by Attackers?
Xavier Mertens Blog
by Xavier
8M ago
Today, I published the following diary on isc.sans.edu: “Are Leaked Credentials Dumps Used by Attackers?“: Leaked credentials are a common thread for a while. Popular services like “Have I Been Pwned” help everyone know if some emails and passwords have been leaked. This is a classic problem: One day, you create an account on a website (ex: an online shop), and later, this website is compromised. All credentials are collected and shared by the attacker. To reduce this risk, a best practice is to avoid password re-use (as well as to not use your corporate email address for n ..read more
Visit website
[SANS ISC] Do Attackers Pay More Attention to IPv6?
Xavier Mertens Blog
by Xavier
8M ago
Today, I published the following diary on isc.sans.edu: “Do Attackers Pay More Attention to IPv6?“: IPv6 has always been a hot topic! Available for years, many ISP’s deployed IPv6 up to their residential customers. In Belgium, we were for a long time, the top-one country with IPv6 deployment because all big players provided IPv6 connectivity. In today’s operating systems, IPv6 will be used first if your computer sees “RA” packets (for “router advertisement”) and can get an IPv6 address. This will be totally transparent. That’s why many people think that they don’t use IPv6 but they do… [R ..read more
Visit website

Follow Xavier Mertens Blog on FeedSpot

Continue with Google
Continue with Apple
OR