INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Don’t Make it Easier than it Already is?..Default Passwords [Guest Diary]
Published: 2025-06-18
Last Updated: 2025-06-18 00:53:35 UTC
by Guy Bruneau (Version: 1)
[This is a Guest Diary by Matthew Paul, an ISC intern as part of the SANS.edu BACS program]
Over the past few months, I’ve been working under a SANS Internet Storm Center (ISC) Sr. Handler as part of the SANS Degree Program ISC Internship. The first objective of the internship is setting up a forward-facing honeypot on your network to review and report on log activity.
For this internship I wanted to focus more on packet vs log analysis. For my setup, I did a bare-metal install of the network analysis tool Malcolm to use as an NSM/IDS. I setup a 5-port managed switch and configured a monitor port for the honeypot with the mirror sending packets to my Malcolm sensor. This setup allowed me to collect and analyze all traffic going to and from my honeypot.
Malcolm is a network capture and analysis tool smartly comprised of various open-source tools; Arkime, OpenSearch, Logstash, Filebeat, OpenSearch Dashboards, Zeek, Suricata, Yara, Capa, ClamAV, CyberChef, jQuery File Upload, NetBox, PostgresSQL, Redis, Keycloak, OpenResty, nginx-auth-ldap, Fluent Bit, Mark Baggett’s (SANS Instructor) freq.py, Florian Roth’s Signature-Base Yara Rules, Bart Blaze’s Yara Rules, RerversingLabs’ Yara Rules and multiple Zeek Packages ...
Read the full entry: https://isc.sans.edu/diary/Dont+Make+it+Easier+than+it+Already+isDefault+Passwords+Guest+Diary/32054/
How Long Until the Phishing Starts? About Two Weeks
Published: 2025-06-17
Last Updated: 2025-06-17 13:15:42 UTC
by Johannes Ullrich (Version: 1)
[This is a guest diary by Christopher Crowley]
Here’s a good reason to include security awareness training for new hires!
I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid.
Starting May 28th the new account started receiving targeted phishing email messages. The subject was either blank or a variation of my name (Chris or Christopher), and the sender's "From" address had a call to action and urgency ...
Read the full entry: https://isc.sans.edu/diary/How+Long+Until+the+Phishing+Starts+About+Two+Weeks/32052/
A JPEG With A Payload
Published: 2025-06-16
Last Updated: 2025-06-16 08:59:44 UTC
by Didier Stevens (Version: 1)
Over the weekend, Xavier posted about another image with a payload: "More Steganography!".
Xavier did a static analysis, and I want to explain how you can decode the payload if you opted for a dynamic analysis.
During your dynamic analysis, you will notice the download of a JPEG image from hxxps://zynova[.]kesug[.]com/new_image.jpg.
You can use my tool jpegdump.py to analyze this file ...
Read the full entry: https://isc.sans.edu/diary/A+JPEG+With+A+Payload/32048/