INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Apple Patches Exploited Vulnerabilities in iOS/iPadOS, macOS, watchOS and Safari
Last Updated: 2023-06-22 07:12:39 UTC
by Johannes Ullrich (Version: 1)
Apple released iOS, macOS, and watchOS updates, patching three vulnerabilities already being exploited. Two vulnerabilities affect WebKit, leading to a Safari patch for older operating systems.
The two WebKit issues (CVE-2023-32439 and CVE-2023-32435) can be used to execute arbitrary code as a user visits a malicious web page. The third vulnerability, CVE-2023-32434, can be used to elevate privileges after the initial code execution...
Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure
Last Updated: 2023-06-28 06:32:20 UTC
by Jan Kopriva (Version: 1)
In my last Diary, we looked at internet-connected web servers, which still support SSL version 2.0. Since this cryptographic protocol was deprecated all the way back in 2011, one might not think that there would be many such devices left on the internet, nevertheless, we have shown that there still appear to be over 460,000 of them.
Last week, I was talking to Justin Searle, one of our fellow SANS instructors, about the SSLv2 situation, and Justin raised a good point about how it might be interesting to learn what the devices are and where they are located… So, I have decided to find out – I did a quick analysis with the help of Shodan, and the results turned out to be quite interesting indeed!
While web servers which support SSLv2 are located in many countries all over the world, as the following image shows, we can clearly see that there are “hot spots” where their concentration is highest.
The Importance of Malware Triage
Last Updated: 2023-06-27 18:49:59 UTC
by Xavier Mertens (Version: 1)
When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, it’s essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you don’t need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you don’t have time to analyze all samples!
How to perform your malware triage? It will help if you have tools for this (executed from a sandbox). There are a lot of tools to achieve this. Still, another critical element is "automation": Your collected samples must feed a pipe of tools that will try to guess the malware family, extract config, … and why not archive and index everything? For this purpose, I'm using a local instance of mwdb (MalwareDB) coupled with karton. For example, I'm extracting samples from catch-all mailboxes and sending them to the triage process via the REST API's...
Red the full entry: https://isc.sans.edu/diary/The+Importance+of+Malware+Triage/29984/