Go Back > News > RSS Newsfeeds > Categories

User login

Frontpage Sponsor


For ERP LN feature pack upgrade, what method of install are you using?
Installation Wizard into existing VRC
Installation Wizard into new VRC
Manual into existing VRC
Manual into new VRC
Total votes: 31

Baanboard at LinkedIn

Reference Content


Ongoing Ykcol (Locky) campaign, (Wed, Sep 20th)

SANS Internet Storm Center - September 20, 2017 - 8:12pm
Today I noticed a high amount of e-mails on my honeypots with similar subject, body and attachment. It caught my attention . After inspecting the attachments and doing some analysis, it was not difficult to realize that those supposed “Status Invoice” messages were, indeed, part of an ongoing campaign pushing a Locky ransomware variant that is being called Ykcol (or Locky in reverse) due to the encrypted file extension (“.ykcol”).
Categories: Security

New tool:, (Tue, Sep 19th)

SANS Internet Storm Center - September 19, 2017 - 6:36pm
On a recent forensic investigation where we couldn't take the Linux system down to image the disks, I was forced to do live response. Fortunately, I was able to get a memory image, but I also wanted a filesystem timeline. I first went to my old friend fls from The SleuthKit (TSK), but for some reason, it failed. So, I tried mac-robber (also from TSK) and it, too, failed. Not one to give up easily, I decided to write my own version of mac-robber in Python. Like the TSK mac-robber, it outputs the data in body file format (so that it can be fed into mactime or elasticsearch). Like the TSK version, by default, it does not hash the files (so it doesn't modify access times), so the "MD5" column defaults to 0. In this case, though, I had reason to believe that there might be multiple copies of some potential malware scattered around the filesystem, so I really wanted to grab hashes, too. So I included the capability in the tool (in my next diary, I'll explain the trick I used to grab hashes without modifying access times). A couple of other notes on the tool. It only hashes "regular" files, it doesn't attempt to hash soft-links, block or character device files, pipes, or sockets. It also skips /proc/kcore which to os.stat() looks like a regular file, but on my dev box is 128TB (a little more than I want to hash). At the moment, it uses MD5 as the hash because that is what fls uses, but I could easily be talked into substituting SHA256 (or SHA3 of whatever length, though in Python < 3.6 this requires pip-installing the pysha3 module). Also, due to a limitation in Python's os.stat(), it only give MAC times, not B time (even if available in the filesystem in question). The tool should work just fine on Linux/Unix, Mac OS X, or Windows with a standard install of Python 2.7 or later though it has not been extensively tested on anything other that Linux to date. Another feature that I added to mine was the ability to add or remove prefixes to the path and to exclude specific directories of files. The -m switch behaves just like the corresponding switch in fls and allows you to prefix the path with a system name or drive letter. The -r switch allows you to remove a prefix (for example, when the directory in question has been mounted on /mnt, but you want your report to show the actual path on the system in question). The -x option actually needs more work, at present, it isn't as flexible as I'd like, but if you want to skip a specific directory or file you can.
Categories: Security

CCleaner 5.33 compromised -, (Mon, Sep 18th)

SANS Internet Storm Center - September 18, 2017 - 11:46am
The version 5.33 of CCleaner[1] has been reported as compromised (only the 32bits version) and delivers a malware during the installation. If you installed CCleaner between Augustus 15th and September 12th, you better have to search for potentially infected systems. Here is the list of DGA domains that could help to track the infected hosts:
Categories: Security

Getting some intelligence from malspam, (Mon, Sep 18th)

SANS Internet Storm Center - September 18, 2017 - 7:05am
Many of us are receiving a lot of malspam every day. By "malspam", I mean spam messages that contain a malicious document. This is one of the classic infection vectors today and aggressive campaigns are started every week. Usually, most of them are blocked by modern antivirus or anti-spam but these files could help us to get some intelligence about the topic used by attackers to fool their victims. By checking the names of malicious files (often .rar, .gip or .7r archives), we found classic words like ‘invoice’, ‘reminder’, ‘urgent’, etc… From an attacker perspective, choosing the right name can increase the chances that the target will open the file by business needs or just…curiosity!
Categories: Security

rockNSM as a Incident Response Package, (Sun, Sep 17th)

SANS Internet Storm Center - September 17, 2017 - 1:54am
Are you looking for a lightweight system to be part of your Incident Response kit? This is probably the package for you. It contains all the basic elements needed to capture data on the fly with Suricata, Bro, Logstash, Kibana, Elasticsearch and Kafka needed to conduct an investigation. Two options exist to get going to build your system, you can use the ISO built on CentOS 7.3 or built your own, and obviously I recommend using the ISO; make sure you check the hardware requirement before starting. "The system you run this on should have at least 2 network interfaces and more than 8GB of RAM, with an OS (RHEL or CentOS 7) already installed."[2] The current version is 2.0.5 and I recommend reading the release notes.
Categories: Security

Another webshell, another backdoor&#x21;, (Thu, Sep 14th)

SANS Internet Storm Center - September 14, 2017 - 7:26am
I’m still busy to follow how webshells are evolving… I recently found another backdoor in another webshell called “”. The best place to find webshells remind[1]. When I’m testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. This way, I can spot immediately is the VM is trying to “phone home” to some external hosts. This was the case this time!
Categories: Security

No IPv6&#x3f; Challenge Accepted&#x21; (Part 1), (Wed, Sep 13th)

SANS Internet Storm Center - September 13, 2017 - 3:18pm
I recently had an internal penetration test with a client.  During the initial discussions, where the client set the scope and so on, I asked if they had any IPv6 in their environment (mainly because I'm hoping that someday, someone will say yes).  Their answer was an emphatic "no".  My answer to that was "Challenge Accepted?", and they ruled IPv6 in scope with a "knock yourself out, there's nothing there".
Categories: Security

All times are GMT +2. The time now is 05:13.

©2001-2017 - -