A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd)
What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they...
Read More
Category: SANS ISC Bulletins
Wireshark 4.4.9 Released, (Sun, Aug 31st)
Wireshark release 4.4.9 fixes 5 bugs. Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States...
Read More
pdf-parser: All Streams, (Sun, Aug 31st)
A user reported a bug in pdf-parser: when dumping all filtered streams, an error would occur: The...
Read More
Increasing Searches for ZIP Files, (Thu, Aug 28th)
I noticed recently that we have more and more requests for ZIP files in our web honeypot logs....
Read More
Interesting Technique to Launch a Shellcode, (Wed, Aug 27th)
In most attack scenarios, attackers have to perform a crucial operation: to load a shellcode in...
Read MoreGetting a Better Handle on International Domain Names and Punycode, (Tue, Aug 26th)
International domain names (IDN) continue to be an interesting topic. For the most part, they are probably less of an issue than some people make them out to be, given that popular browsers like Google Chrome are pretty...
Read More
Reading Location Position Value in Microsoft Word Documents, (Mon, Aug 25th)
While studying for the GX-FE [1], I started exploring the “Position” value in the...
Read MoreThe end of an era: Properly formated IP addresses in all of our data., (Sun, Aug 24th)
The Internet Storm Center and DShield websites are about 25 years old. Back in the day, I made some questionable decisions that I have never quite cleaned up later. One of these decisions was to use a “15 character...
Read MoreDon’t Forget The “-n” Command Line Switch, (Thu, Aug 21st)
A lot of people like the command line, the CLI, the shell (name it as you want) because it provides a lot of powerful tools to perform investigations. The best example is probably parsing logs! Even if we have SIEM to ingest and...
Read MoreAirtell Router Scans, and Mislabeled usernames, (Wed, Aug 20th)
Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The...
Read More
Increased Elasticsearch Recognizance Scans, (Tue, Aug 19th)
I noticed an increase in scans that appear to try to identify Elasticsearch instances....
Read MoreKeeping an Eye on MFA-Bombing Attacks, (Mon, Aug 18th)
I recently woke up (as one does each day, hopefully) and saw a few Microsoft MFA prompts had pinged me overnight. Since I had just awakened, I just deleted them, then two minutes later clued in – this means that one of my...
Read More
- 1
- ...
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- ...
- 187