INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
X-Wiki Search Vulnerability exploit attempts (CVE-2024-3721)
Published: 2025-03-25
Last Updated: 2025-03-25 15:07:14 UTC
by Johannes Ullrich (Version: 1)
Creating a secure Wiki is hard. The purpose of a wiki is to allow "random" users to edit web pages. A good Wiki provides users with great flexibility, but with great flexibility comes an even "greater" attack surface. File uploads and markup (or markdown) are all well-known security issues affecting various Wikis in the past.
Today's vulnerability is a bit different, and less a typical "Wiki" vulnerability. CVE-2024-3721 was patched April 13th last year. It addresses an interesting OS command injection vulnerability that is exploited via the XWiki search feature. A user usually does not need to log in to use the search. In some ways, this is one of the "less dangerous" features for a Wiki.
The exploit we are seeing now is pretty much identical to the PoC published back in April ...
Some new Data Feeds, and a little "incident"
Published: 2025-03-20.
Last Updated: 2025-03-20 17:58:57 UTC
by Johannes Ullrich (Version: 1)
Our API (https://isc.sans.edu/api) continues to be quite popular. One query we see a lot is lookups for individual IP addresses. Running many queries as you go through a log may cause you to get locked out by our rate limit. To help with that, we now offer additional "summary feeds" that include all data recently received. You may download these feeds and import them in your database of choice (or grep the text file for records). This will make bulk lookups a lot easier and faster.
For more details and continuing updates, see, https://isc.sans.edu/feeds_doc.html
I will gladly add more feeds as needed. Please let me know via our contact page if you run into errors.
We do often get requests for commercial use of our data. Our data is published under a "Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International" license. You may use the data if you attribute it to us and do not resell it. We are okay with you using the data in a SOC at a commercial enterprise to help you defend your organization.
If you find it helpful: Let us know. Tell us what works and does not work. The simplest way to help us out is to run one of our honeypots and tell us what works or doesn't work with it. Please do not ask us to remove data because you consider it a false positive. False positives are part of the game, and while we will gladly add comments to some of the data, we do not remove data as it may distort it for other research tasks.
But enough about data feeds. Today, we also had a recurrence of an attack I hadn't seen in a while. This "incident" started with some of our handlers receiving a request to update a link in an older podcast ...
Read the full entry: https://isc.sans.edu/diary/Some+new+Data+Feeds+and+a+little+incident/31786/
[Guest Diary] Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest
Published: 2025-03-26
Last Updated: 2025-03-26 00:07:40 UTC
by Wee Ki Joon, SANS.edu BACS Student (Version: 1)
[This is a Guest Diary by Wee Ki Joon, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program.]
Executive Summary
This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.
The result is a multi-class classification model capable of delivering accurate, easily accessible malware categorizations, in turn creating new opportunities for deeper threat correlation and more efficient triage.
We will also discuss the following sections:
Entropy-Based Sliding Window Extraction: Rather than analyzing only the initial segment of each file, we apply a sliding window mechanism that computes entropy in overlapping chunks. This locates suspicious, high-entropy hotspots without being limited by fixed-size segments.
CNN Architecture and Training: A multi-layer convolutional neural network design ingesting byte-image representation was employed. Techniques such as class weighting, batch normalization, and early stopping ensure balanced, high-fidelity learning.
Evaluation and Results: Tested against a large corpus of malicious and benign binaries, the model achieved approximately 91% overall accuracy, with notable performance in distinguishing multiple malware families. Confusion matrices also highlight pitfalls among closely related classes (e.g. droppers and downloaders) ...
Read the full entry: https://isc.sans.edu/diary/Guest+Diary+Leveraging+CNNs+and+EntropyBased+Feature+Selection+to+Identify+Potential+Malware+Artifacts+of+Interest/31790/