[SANS ISC] Open redirects … and why Phishers love them, (Fri, Jun 18th)

Working from home, did you get a meeting invite recently that pointed to https://meet.google.com ?  Well, that’s indeed where Google’s online meeting tool is located. But potentially the URL you got is not “only” leading you there. Google Meet and Google Hangouts have a so-called open-redirect vulnerability. Phishers have found it, and are currently abusing […]

Read More

[SANS ISC] Network Forensics on Azure VMs (Part #2), (Fri, Jun 18th)

In yesterday’s diary, we took a look at two methods that allow to capture network connection information off a potentially compromised virtual machine in Azure. Today, we’ll investigate the most recent addition to the VM monitoring arsenal, namely “Azure Monitor Insights”. “Insights” is enabled directly under the “Monitoring” menu tab of the corresponding VM. Deploying […]

Read More

[SANS ISC] Network Forensics on Azure VMs (Part #1), (Thu, Jun 17th)

The tooling to investigate a potentially malicious event on an Azure Cloud VM is still in its infancy. We have covered before (Forensicating Azure VMs) how we can create a snapshot of the OS disk of a running VM. Snapshotting and then killing off the infected VM is very straight forward, but it also tips […]

Read More

[SANS ISC] June 2021 Forensic Contest, (Wed, Jun 16th)

Introduction This is a last-minute forensic quiz for June 2021 based on a packet capture (pcap) with Windows-based infection traffic.  Like the previous two months, this month’s prize is a Raspberry Pi.  Rules for the contest follow: Only one submission per person. Participants who submit the correct answers will be entered into a drawing, and […]

Read More

[SANS ISC] Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th)

Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities [1], and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls [2]. Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent […]

Read More