INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
OneNote Suricata Rules
Published: 2023-02-19
Last Updated: 2023-02-20 07:46:06 UTC
by Didier Stevens (Version: 1)
I end my diary entry “Detecting (Malicious) OneNote Files” with a set of Suricata rules to detect various OneNote files.
Let’s take a closer look at these rules.
Here is the first rule, that I split over several lines so that each option has it own line, making it easier to explain.
alert http any any -> any any (
msg:"[MS-ONESTORE] .one GUID";
flow:established,from_server;
file_data;
content:"|E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3|";
classtype:policy-violation;
reference:url,blog.didierstevens.com;
reference:url,github.com/Neo23x0/signature-base/blob/master/yara/gen_onenote_phish.yar;
sid:1000001;
rev:1;)
The rule inspects HTTP traffic and triggers an alert when the right conditions are met.
The rule looks at any origin (any any) and any destination (any any). Usually, you would want to refine such a rule, to inspect HTTP traffic with requests originating from inside your network ($HOME_NET) and destined outside your network ($EXTERNAL_NET), typically the Internet.
Read the full entry:
https://isc.sans.edu/diary/OneNote+Suricata+Rules/29564/
HTML phishing attachment with browser-in-the-browser technique
Published: 2023-02-16
Last Updated: 2023-02-16 11:25:31 UTC
by Jan Kopriva (Version: 1)
Although the browser-in-the-browser (BitB) technique has been with us for a while now, it is far from what one might call ubiquitous. Simply put, the technique is based on displaying a simulated browser pop-up window (usually a login prompt) within the confines of an HTML page opened in a browser. The simulated pop-up may look almost indistinguishable from a real browser window and since it may contain an arbitrary URL in the simulated address bar, the use of the BitB technique for phishing can be quite effective, as most people have been repeatedly taught that they should “check the URL, and if it is the right one, the page should be genuine” during security awareness courses.
Checking the URL is undoubtedly still a good advice, however, when it comes to BitB, one should probably preface it by saying, that one first has to make sure that a browser window is actually a real browser window and that its address bar is actually a real address bar…
Read the full entry:
https://isc.sans.edu/diary/HTML+phishing+attachment+with+browserinthebrowser+technique/29556/
Internet Wide Scan Fingerprinting Confluence Servers
Published: 2023-02-22
Last Updated: 2023-02-22 13:54:55 UTC
by Johannes Ullrich (Version: 1)
Looking over some of our honeypot logs today, I noticed one IP address, 60.223.74.99, scanning for several older Confluence vulnerabilities. confluence fingerprint icon
Confluence is the collaboration component of Atlassian's suite of developer tools. Attacks against developers, and the tools they are using, are on the rise in general, and this is yet another "piece to the puzzle." A quick search using NIST's NVD shows 18 vulnerabilities in Confluence.
The scans use a known PoC exploit for CVE-2021-26084, an OGNL injection vulnerability.
Read the full entry
https://isc.sans.edu/diary/Internet+Wide+Scan+Fingerprinting+Confluence+Servers/29574/