Handler on Duty: Didier Stevens
Threat Level: green
Podcast Detail
Mimikatz Defenses; LibreOffice Vulnerability; Firefox 65 And HTTPS AV Scanning
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://chrt.fm/track/2748D7/https://traffic.libsyn.com/securitypodcast/6360.mp3
SANS Daily Network Security Podcast (Stormcast) for Wednesday, February 6th 2019
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Interested in Internet Storm Center stickers? Check here if there are still some available for today.
Mitigations against Mimikatz Style Attacks
https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/
LibreOffice Macro Vulnerability
https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
Firefox 65 Breaks HTTPS AV Scanning
https://bugzilla.mozilla.org/show_bug.cgi?id=1523701
RDP Client Vulnerabilities
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
DNS "Lookingglass"
https://isc.sans.edu/tools/dnslookup.html
https://isc.sans.edu/forums/diary/Mitigations+against+Mimikatz+Style+Attacks/24612/
LibreOffice Macro Vulnerability
https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html
Firefox 65 Breaks HTTPS AV Scanning
https://bugzilla.mozilla.org/show_bug.cgi?id=1523701
RDP Client Vulnerabilities
https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients/
DNS "Lookingglass"
https://isc.sans.edu/tools/dnslookup.html
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
| Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
| Network Monitoring and Threat Detection In-Depth | Baltimore | Mar 3rd - Mar 8th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Orlando | Apr 13th - Apr 18th 2025 |
Follow updates by subscribing to the handler's diary RSS feed
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
According to: Cisco Talos recently observed a malware campaign delivering a malicious Microsoft PowerPoint document using a mailing list. We also observed new malware delivered through mail communications from mail sender: "v.bernadskaya@ethnosafe.com" to multiple users. Security Team expects that those people affected with such malicious mail have been registered before in in-trusted websites which make them victims to such attacks. Malicious files detected which has been found were with multiple names like: ”Offer for approval.doc”.
The difference between this campaign detected by us and which reported by CISCO Talos is these all files were .doc not power point files but they meet in point that both campaigns abuses CVE-2017-0199 but this file threat actor was VBA_MACRO which considered the main threat actor in most mail campaign containing Microsoft files.
CVE-2017-0199 which affect most MS office from 2007-2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1 and Windows 8.1. This vulnerability allow remote attackers to execute arbitrary code via a crafted document,
aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.
These URLs: "hxxp://216.170.120.102/metu.exe" as GET request and "hxxp://changdeacorp.com/finet/leotuyy/fre.php" as POST were detected in C' communications from infected machines, then download files like: "996E.exe" "dio.zip".
We noticed also PowerShell call and executing multiple queries like this value:
"\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName" ".
There are multiple attempts to open admin directories like this one: "C:\Users\admin\AppData\Local\Temp\" and creating multiple file like: unjl3fxo.k5p.psm1 and ajpaqbyx.i25.ps1.
Indicators of compromise:
"IPs"
216.170.120.102
103.63.2.245
93.159.231.232
93.159.231.128
93.190.235.135
8.253.204.121
"Hashes"(SHA256)
ef2a14d2971fbd7bc068a7bfd7e943057d0a486c0270b30977d501f616449c9f
"Domains/URLs"
changdeacorp.com
ddacenona.com
ezzy-corp.com
hxxp://changdeacorp.com/finet/leotuyy/fre.php
hxxp://focail.com/austin1/fre.php
hxxp://martreding.com/blue1/fre.php
hxxp://ezzy-corp.com/tall8/fre.php
hxxp://sunwest-kh.com/white6/fre.php
hxxp://216.170.120.102/metu.exe
hxxp://427.cc/
hxxp://037.cc/