Cyber Security Blog

Sleeping VBS Really Wants To Sleep, (Sat, Dec 10th) —

Diary reader Wayne Smith shared an interesting malicious document with us. Wayne also provided us with his own analysis: this malicious document sleeps and checks the time online before it activates its payload.

First we take a look at the sample (md5 7EAB96D2BC04CA155DE035815B88EE00) with

It” />

Its a VBS file, let” />

Analysis of this obfuscated code reveals that it is a downloader with a particular property (for a maldoc): before downloading and executing the payload, this VBS code will sleep for 5 minutes, checking the elapsed time every minute by querying

By sleeping and checking the time online, this sample hopes to evade detection by sandboxes that do time acceleration without interfering with online time checking.

Didier Stevens
Microsoft MVP Consumer Security

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Reports: CIA Says Kremlin Tried to Sway Vote Toward Trump —

Obama Orders Probe Into Alleged Russian Influence
Hours after President Obama directed intelligence agencies to investigate alleged efforts by the Russians to influence the 2016 presidential election, reports surfaced that the CIA in a secret report concluded with “high confidence” that the Kremlin tried to influence the vote in favor of Donald Trump.

Share Button

Op-ed: I’m throwing in the towel on PGP, and I work in security —

Enlarge (credit: Christiaan Colen)

Filippo Valsorda is an engineer on the Cloudflare Cryptography team, where he’s deploying and helping design TLS 1.3, the next revision of the protocol implementing HTTPS. He also created a Heartbleed testing site in 2014. This post originally appeared on his blog and is re-printed with his permission.

After years of wrestling with GnuPG with varying levels of enthusiasm, I came to the conclusion that it’s just not worth it, and I’m giving up—at least on the concept of long-term PGP keys. This editorial is not about the gpg tool itself, or about tools at all. Many others have already written about that. It’s about the long-term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.

Trust me when I say that I tried. I went through all the setups. I used Enigmail. I had offline master keys on a dedicated Raspberry Pi with short-lived subkeys. I wrote custom tools to make handwritten paper backups of offline keys (which I’ll publish sooner or later). I had YubiKeys. Multiple. I spent days designing my public PGP policy.

Read 29 remaining paragraphs | Comments

Share Button

No, there’s no evidence (yet) the feds tried to hack Georgia’s voter database —

Enlarge / Georgia politician Brian Kemp reads at a Holocaust remembrance ceremony in the state. (credit:

Accusations that the US Department of Homeland security tried to hack Georgia’ voter registration database are running rampant. But until officials from that state’s Secretary of State office provide basic details, people should remain highly skeptical.

The controversy erupted after Georgia Secretary of State Brian Kemp sent and publicly released a letter addressed to DHS Secretary Jeh Johnson. In it, Kemp made a series of statements so vague in their technical detail that it’s impossible to conclude any kind of hacking or breach—at least as those terms are used by security professionals—took place.

“On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall,” Kemp wrote. “I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall.”

Read 9 remaining paragraphs | Comments

Share Button

Obama Orders Probe Into Election Hacks Tied to Russians —

Report to Be Issued Before President Leaves Office
The U.S. intelligence community is expected to deliver to President Obama before he leaves office on Jan. 20 a report on alleged efforts by the Russians to influence the 2016 presidential election.

Share Button

Obama asks intel community to conduct “full review” of election-related hacks —

(credit: Tom Lohdan)

At an event today hosted by the Christian Science Monitor, White House terrorism and homeland security advisor Lisa Monaco announced that President Barack Obama had ordered a “full review” of the campaign of cyber-attacks against the Democratic Party, the campaign organization of Hillary Clinton, and other politicians and state election officials’ websites during the 2016 presidential campaign. Monaco said that the results of the review would be released to Congress before President Obama left office.

“The president has directed the intelligence community to conduct a full review of what happened during the 2016 election process,” Monaco said, “and to capture lessons learned from that and to report to a range of stakeholders, to include the Congress.”

The announcement comes after a call from both Republicans and Democrats on December 7. At a Heritage Foundation event on Wednesday, House Homeland Security Chairman Michael McCaul, (R-Texas) called for “consequences” for Russia’s interference in the election. “If we don’t respond and show them that there are consequences,” he said, “the bad behavior will continue… our democracy itself is being targeted.”

Read 3 remaining paragraphs | Comments

Share Button

Mirai – now with DGA, (Fri, Dec 9th) —

Shortly after Miraiwas attributed to massive DDOS on OVH and Brian Krebsthe source code for Mirai was released on Github. This was a double edged sword. It gave security researchers insight into the code, but it also made it more available to those who may want to use it for nefarious purposes. Within days Mirai variants were detected. Now chinese researchers Network Security Research Labsare reporting that recent samples of Miraihave a domain generation algorithm (DGA) feature. The DGA is somewhat limited in that it will only generate one domain per day, so a total of 365 total domains are possible and they are all in the .techor .support TLDs. ” />

Definitely something to have your Intrusion Detection and DNS sensors watch for.

Thedetailed analysis of the malware sample is a fun read…if you are into such things.

— Rick Wanner MSISE – rwanner at isc dot sans dot edu – – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Fancy Bear ramping up infowar against Germany—and rest of West —

Enlarge / The bear is back. It never went away.

US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials’ systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany’s chief of domestic intelligence warned yesterday.

In a press release issued on December 8, Germany’s Bundesamt für Verfassungsshutz (BfV)—the country’s domestic intelligence agency—warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of “extremist groups and parties” in Germany and destabilizing the German government. In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of “spear phishing attacks against German political parties and parliamentary groups” using the same sort of malware used against the Democratic National Committee in the US.

The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom’s Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns. In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by “hybrid warfare.”

Read 6 remaining paragraphs | Comments

Share Button

Bangladesh Bank Heist Probe Finds ‘Negligent’ Insiders —

But Investigators Blame Outside Hackers, Seek Compensation, Report Says
An internal investigation into the February theft of $81 million from the central bank of Bangladesh reportedly found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by outside hackers, according to a new report.

Share Button

ISC Stormcast For Friday, December 9th 2016, (Fri, Dec 9th) —

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Share Button

Translate »
Clef two-factor authentication