[SANS ISC] An XML-Obfuscated Office Document (CVE-2021-40444), (Wed, Sep 22nd)

A Twitter follower sent me a link to an interesting maldoc on Malware Bazaar (thanks). It’s a Word document (OOXML) that exploits vulnerability %%CVE:2021-40444%%. If you follow the steps of my diary entry “Simple Analysis Of A CVE-2021-40444 .docx Document” you will not find an unusual URL. I’ll explain why in this diary entry. This […]

Read More

[SANS ISC] ISC Stormcast For Wednesday, September 22nd, 2021 https://isc.sans.edu/podcastdetail.html?id=7682, (Wed, Sep 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More

[SANS ISC] A First Look at Apple’s iOS 15 “Private Relay” feature., (Tue, Sep 21st)

One of the notable additions to iOS 15, which was officially released yesterday, is its “Private Relay” feature [1]. Unlike a “simple” VPN, the private relay does appear to be more of a proxy service for HTTP, and it uses two hops with distinct entities to not allow one entity to become the new single-point-of-privacy-failure. […]

Read More

[SANS ISC] #OMIGOD Exploits Captured in the Wild. Researchers responsible for half of scans for related ports., (Mon, Sep 20th)

After the “OMIGOD” vulnerability details were made public, and it became obvious that exploiting vulnerable hosts would be trivial, researchers and attackers started pretty much immediately to scan for vulnerable hosts. We saw a quick rise of scans, particularly against %%port:1270%%. [1] Some of the attacks originated from research projects that apparently enumerated vulnerable hosts. Scans […]

Read More

[SANS ISC] Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th)

I created a video for the analysis I described in my last diary entry “Simple Analysis Of A CVE-2021-40444 .docx Document“. I also cover another sample in that video, that is a bit harder to analyze (and has much lower detection rates on VT). Remark that I always make sure that you can find the […]

Read More

[SANS ISC] Simple Analysis Of A CVE-2021-40444 .docx Document, (Sat, Sep 18th)

Analysing a malicious Word document like prod.docx that exploits %%cve:2021-40444%% is not difficult. We need to find the malicious URL in this document. As I’ve shown before, this is quite simple: extract all XML files from the ZIP container (.docx files are OOXML files, that’s a ZIP container with (mostly) XML files) and use a […]

Read More

[SANS ISC] Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th)

Did this threat really disappear? This isn’t a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. Being a dad, you can imagine that I always performed security awareness with my daughters. Since they use computers and the Internet, my message […]

Read More