- Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...
- What is the simplest malware in the world?
- MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering
- How is Ukrainian internet holding up during the Russian invasion?
- Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW
- Phishing e-mail with...an advertisement?
- Do you want your Agent Tesla in the 300 MB or 8 kB package?
- PowerPoint attachments, Agent Tesla and code reuse in malware
- Phishing page hiding itself using dynamically adjusted IP-based allow list
- TLS 1.3 and SSL - the current state of affairs
- Phishing 101: why depend on one suspicious message subject when you can use many?
- There may be (many) more SPF records than we might expect
- ProxyShell - how many Exchange servers are affected and where are they?
- A sextortion e-mail from...IT support?!
- One way to fail at malspam - give recipients the wrong password for an encrypted attachment
- Phishing asking recipients not to report abuse
- Architecture, compilers and black magic, or "what else affects the ability of AVs to detect malicious files"
- All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not
- Number of industrial control systems on the internet is lower then in 2020...but still far from zero
- Hunting phishing websites with favicon hashes
- Malspam with Lokibot vs. Outlook and RFCs
- Old TLS versions - gone, but not forgotten... well, not really "gone" either
- 50 years of malware? Not really. 50 years of computer worms? That's a different story...
- Qakbot in a response to Full Disclosure post
- Agent Tesla hidden in a historical anti-malware tool
- TriOp - tool for gathering (not just) security-related data from Shodan.io (tool drop)
- From a small BAT file to Mass Logger infostealer
- TLS 1.3 is now supported by about 1 in every 5 HTTPS servers
- Want to know what's in a folder you don't have a permission to access? Try asking your AV solution...
- A slightly optimistic tale of how patching went for CVE-2019-19781
- Heartbleed, BlueKeep and other vulnerabilities that didn't disappear just because we don't talk about them anymore
- SMBGhost - the critical vulnerability many seem to have forgotten to patch
- BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon
- Phishing kits as far as the eye can see
- Slightly broken overlay phishing
- A blast from the past - XXEncoded VB6.0 Trojan
- Security.txt - one small file for an admin, one giant help to a security researcher
- Definition of 'overkill' - using 130 MB executable to hide 24 kB malware
- What pages do bad bots look for?
- Couple of interesting Covid-19 related stats
- Using Shell Links as zero-touch downloaders and to initiate network connections
- VMware security advisory VMSA-2020-0015
- Broken phishing accidentally exploiting Outlook zero-day
- Frankenstein's phishing using Google Cloud Storage
- Agent Tesla delivered by the same phishing campaign for over a year
- Look at the same phishing campaign 3 months apart
- Crashing explorer.exe with(out) a click
- Desktop.ini as a post-exploitation tool
- Secure vs. cleartext protocols - couple of interesting stats
- Quick look at a couple of current online scam campaigns
- Discovering contents of folders in Windows without permissions
- Current PayPal phishing campaign or "give me all your personal information"
- Analysis of a triple-encrypted AZORult downloader
- Picks of 2019 malware - the large, the small and the one full of null bytes
- Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!
- Phishing with a self-contained credentials-stealing webpage
- E-mail from Agent Tesla
- Analysis of a strangely poetic malware
- Lessons learned from playing a willing phish
- Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?
- EML attachments in O365 - a recipe for phishing
- Phishing e-mail spoofing SPF-enabled domain
Threat Level: green
Handler on Duty: Didier Stevens
SANS ISC: ISC Handlers - SANS Internet Storm Center ISC Handlers
https://www.sans.edu
Questions? Feedback?
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
