INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Scanning and abusing the QUIC protocol
Published: 2024-03-06
Last Updated: 2024-03-06 09:43:39 UTC
by Bojan Zdrnja (Version: 1)
The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary.
While QUIC has been around for some time, the official RFC 9000 that defines QUIC v1 was released in 2021. Of course, our browsers (namely Chrome, as Google was the main power behind QUIC) started supporting and using QUIC long time ago. Chrome, for example, added support for QUIC back in 2012, while Mozilla Firefox waited until 2021. Today, all browsers not only support QUIC but also use it – A LOT!
For example, if you take a look at your network traffic today to Google, YouTube, Facebook and similar web sites you will see that this network traffic consists of HTTP/3, which uses QUIC, almost exclusively – just open Developer Tools, go to the Network tab and right click on columns, add Protocol and you will see something like this ...
Read the full entry: https://isc.sans.edu/diary/Scanning+and+abusing+the+QUIC+protocol/30720/
Apple Releases iOS/iPadOS Updates with Zero Day Fixes.
Published: 2024-03-05
Last Updated: 2024-03-05 19:28:28 UTC
by Johannes Ullrich (Version: 1)
Apple today released iOS 17.4 as well as iOS 16.7.6 (and the respective iPadOS versions). These updates fix a total of four vulnerabilities. Two of the vulnerabilities are already being exploited. CVE-2024-23225 is a privilege escalation issue and only affects iOS 17 as well as iOS 16. The second already exploited vulnerability, CVE-2024-23296, only affects iOS 17.
We rated the exploited vulnerabilities as "important", not "critical". They appear to only allow for privilege escalation.
Read the full entry: https://isc.sans.edu/diary/Apple+Releases+iOSiPadOS+Updates+with+Zero+Day+Fixes/30716/
[Guest Diary] Dissecting DarkGate: Modular Malware Delivery and Persistence as a Service.
Published: 2024-02-29
Last Updated: 2024-02-29 01:41:25 UTC
by John Moutos, SANS BACS Student (Version: 1)
[This is a Guest Diary by John Moutos, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.
Intro
From a handful of malware analysis communities I participate in, it is not uncommon for new or interesting samples to be shared, and for them to capture the attention of several members, myself included. In this case, what appeared to be a routine phishing PDF, led to the delivery of a much more suspicious MSI, signed with a valid code signing certificate, and with a surprisingly low signature-based detection rate on VirusTotal (at time of analysis) due to use of several layered stages.
Context
Modern malware utilizing multiple layers of abstraction to avoid detection or response is not a new concept, and as a result of this continuous effort, automated malware triage systems and sandboxes have become crucial in responding to new or heavily protected samples, where static analysis methods have failed, or heuristic analysis checks have come back clean. Attackers are wise to this, and often use legitimate file formats outside of the PE family, or protect their final stage payload with multiple layers to avoid being detected through static analysis, and subsequently profiled through dynamic analysis or with the aid of a sandbox / automated triage system.
Analysis
The following sample not only fit the profile previously mentioned, but was also taking advantage of a presumably stolen or fraudulent code signing certificate to pass reputation checks.
At a first glance, the downloaded PDF appears normal and is of fairly small size ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/