2021 on Untrusted Network

SANS ISC Diary - Do you want your Agent Tesla in the 300 MB or 8 kB package?

Jan Kopriva — Fri, 31 Dec 2021 13:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at some of the largest and smallest malicious PE files that were caught by my malspam trap in 2021…

SANS ISC Diary - PowerPoint attachments, Agent Tesla and code reuse in malware

Jan Kopriva — Mon, 20 Dec 2021 17:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam message with macro-enabled PowerPoint attachment that turned out to be first stage of an Agent Tesla infection chain…

SANS ISC Diary - Phishing page hiding itself using dynamically adjusted IP-based allow list

Jan Kopriva — Wed, 24 Nov 2021 12:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting protection mechanism used on a phishing site to deny access to it to anyone but the victim who first clicked the link in a phishing mail…

TriOp update - version 1.4 (and Shodan Trends)

Jan Kopriva — Thu, 28 Oct 2021 14:00:00 +0200

I’ve published version 1.4 of TriOp today. The only change in this version is the addition of CVE-2021-31206 (vulnerability used in the ProxyShell attack) to the relevant search list.

One additional point that deserves a mention is that Shodan has recently opened access to a new service called Shodan Trends, which enables users to generate trend charts for (probably) arbitrary Shodan queries. Although these charts are based on monthly averages and are therefore not as precise as charts generated from data collected on a daily basis using TriOp, they can certainly provide one with an interesting look at long-term trends. If you therefore only require general information about trends related to one or more Shodan queries and don’t need a detailed view at how things change on a day-to-day basis, then this service might be a viable alternative to TriOp for you…

As alway, you may download the latest version of TriOp from my GitHub.

Open ports statistics for Q3 2021

Jan Kopriva — Fri, 01 Oct 2021 15:00:00 +0200

Only the last three months remain until the end of 2021, which means it’s time for a look at how the internet as a whole changed in the third quarter of the year.

As always, the data, on which the following charts are based, have been gathered using Shodan. Therefore bear in mind that although the charts should give us a good enough view of more significant changes, they may not be completely accurate (see the first post with quarterly statistics.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

Interview - ECSC 2021

Jan Kopriva — Thu, 30 Sep 2021 21:10:00 +0200

Prague is currently hosting this year’s European Cyber Security Challenge - an international security competition for teams of young talents from different European countries. Since I am the author of one of the practical challenges that make up the competition and ALEF is one of its sponsors, I was asked for a short interview by the competition’s organizers in the run up to the Challenge itself. The resulting video was published on Youtube today. I think it looks fairly good, but you can judge the result for yourself…

SANS ISC Diary - TLS 1.3 and SSL - the current state of affairs

Jan Kopriva — Tue, 28 Sep 2021 11:20:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the current state of adoption of TLS 1.3 and disposal of SSL 2.0 and 3.0…

SANS ISC Diary - Phishing 101: why depend on one suspicious message subject when you can use many?

Jan Kopriva — Thu, 16 Sep 2021 09:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing that tried to use multiple suspicious message subjects to lure the recipient to a phishing site…

Presentation from TF-CSIRT meeting - How TLS 1.3 adoption (and disposal of SSL) is going

Jan Kopriva — Tue, 14 Sep 2021 19:00:00 +0200

64th meeting of the TF-CSIRT community took place today. I’ve had the pleasure to contribute to it with a short presentation about the current state of adoption of TLS 1.3 and continued use of SSL protocols. Although I usually don’t mention presentations I’ve prepared for TF-CSIRT meetings here, I’ve decided to make an exception for this one, since I believe that it might be worth looking at even without the accompanying commentary. If you’d like to take a look at it, you may find it (along with several other presentations) on this link.

SANS ISC Diary - There may be (many) more SPF records than we might expect

Jan Kopriva — Wed, 25 Aug 2021 11:55:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the surprisingly high number of SPF records set for domains in the CZ TLD…

TriOp update - version 1.3

Jan Kopriva — Thu, 12 Aug 2021 17:25:00 +0200

I’ve published version 1.3 of TriOp today. The only change in this version is the addition of vulnerabilities used in the ProxyShell attack (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523) to the relevant search list.

Chaining of the vulnerabilities in question may lead to an unauthenticated RCE, so one would hope that given the recent media attention that was given to them, most organizations would patch them quickly. However, so far, the daily increases in number of their detections on Shodan seem to paint a slightly less optimistic picture…

As alway, you may download the latest version of TriOp from my GitHub.

SANS ISC Diary - ProxyShell - how many Exchange servers are affected and where are they?

Jan Kopriva — Mon, 09 Aug 2021 12:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Exchange serveres vulnerable to the ProxyShell attack…

List of free online malware analysis sandboxes v1.7

Jan Kopriva — Wed, 04 Aug 2021 08:55:00 +0200

Since the online malware sandbox landscape has changed somewhat over the last six months, I have updated my list of most useful sandboxes to reflect these changes. One improvement that deserves a special mention was a significant increase in number of supported operating systems by the Hatching Triage platform…

As always, you may find the current version here.

SANS ISC Diary - A sextortion e-mail from...IT support?!

Jan Kopriva — Wed, 28 Jul 2021 08:35:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual sextortion phishing, in which its author claimed to work for an IT service company hired by recipients e-mail provider…

SANS ISC Diary - One way to fail at malspam - give recipients the wrong password for an encrypted attachment

Jan Kopriva — Wed, 14 Jul 2021 13:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam campaign, whose authors failed to include a correct password to decrypt the malicious attachment…

Open ports statistics for Q2 2021

Jan Kopriva — Wed, 30 Jun 2021 21:15:00 +0200

The first half of 2020 is behind us, which means it’s time for a look at how the internet as a whole changed during the past 3 months.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

SANS ISC Diary - Phishing asking recipients not to report abuse

Jan Kopriva — Tue, 22 Jun 2021 15:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing message that ended with an unusual request…

SANS ISC Diary - Architecture, compilers and black magic, or 'what else affects the ability of AVs to detect malicious files'

Jan Kopriva — Wed, 09 Jun 2021 13:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how the use of a compiler affects the ability of anti-malware tools to detect malicious code…

SANS ISC Diary - All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not

Jan Kopriva — Thu, 27 May 2021 11:30:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the difference (or lack thereof) different binary-to-text encodings make when it comes to anti-malware evasion…

SANS ISC Diary - Number of industrial control systems on the internet is lower then in 2020...but still far from zero

Jan Kopriva — Wed, 12 May 2021 13:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Industrial Control Systems accessible from the internet…

SANS ISC Diary - Hunting phishing websites with favicon hashes

Jan Kopriva — Mon, 19 Apr 2021 11:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how HTTP favicon hashes may be used to identify IP addresses hosting phishing websites…

SANS ISC Diary - Malspam with Lokibot vs. Outlook and RFCs

Jan Kopriva — Tue, 06 Apr 2021 18:30:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In it, we’ll take a look at an interesting malspam message carrying the Lokibot infostealer and also causing quite unusual behavior in Outlook…

Open ports statistics for Q1 2021

Jan Kopriva — Mon, 05 Apr 2021 11:30:00 +0200

The first quarter of 2020 is behind us, which means it’s time for another look at some of the interesting ports accessible on public IPs. This time however, we will take a look at how the internet as a whole changed during the past 3 months in terms of accessible ports, but also at specific changes related to support of different versions of SSL and TLS.

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)

SANS ISC Diary - Old TLS versions - gone, but not forgotten... well, not really 'gone' either

Jan Kopriva — Tue, 30 Mar 2021 10:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in the number of web servers, which support TLS 1.0 and TLS 1.1…

SANS ISC Diary - 50 years of malware? Not really. 50 years of computer worms? That's a different story...

Jan Kopriva — Tue, 16 Mar 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at Creeper, the first computer worm, which was created 50 years ago - according to some sources, on this very day in 1971…

TriOp update - version 1.2

Jan Kopriva — Sun, 14 Mar 2021 14:00:00 +0100

I’ve published version 1.2 of TriOp today. A bug was present in the “add” mode in version 1.1, which resulted in incorrect behavior when parameterized queries were present in search files, and this update fixes it.
When using the “add” mode, it is now possible to specify a filter (–filter), which determines what parameter from the original search file will be added to every new query. If filter is ommited, no parameter will be appended to newly added queries.

As alway, you may download the latest version of TriOp from my GitHub.

TriOp update - version 1.1

Jan Kopriva — Mon, 08 Mar 2021 11:00:00 +0100

I’ve published version 1.1 of TriOp today. I’ve added CVEs for the recent Exchange vulnerabilities to the vulnerability search list, since Shodan is now capable of detecting systems affected by them. In response to a request from the CSIRT community, I’ve also added the option for use of arbitrary filter along with a list of parameters.
In version 1.0, it was only possible to generate composite searches based on list of countries, however in version 1.1, one may specify any filter (i.e. not just “country”) for use with the list of parameters.
Previously, one could specify a list of searches (-s/-S) and a list of countries (-c/-C) and TriOp would run each search for each specified country and even potentially output results for each country into a specific file (–country_names).
In the updated version, one may specify an arbitrary filter (–filter) and a list of parameters for that filter (-p/-P) along with a list of searches (-s/-S) and the result will be the same. The “one output file per parameter” option is available as well (–filter_names).
What I assume will be of most useful when it comes to this feature, will be the filter “net” – the following example shows how a command using it might look:

triop.py -s "port:80,port:443" --filter net -p "200.0.0.0/16,200.1.0.0/16"

in which case, the output might look similar to:

Current IP count for query port:80 net:"200.0.0.0/16" is 1643
Current IP count for query port:443 net:"200.0.0.0/16" is 1474
Current IP count for query port:80 net:"200.1.0.0/16" is 819
Current IP count for query port:443 net:"200.1.0.0/16" is 798

A country search could be done in the following manner:

triop.py -s "port:22,port:23" --filter country -p "CZ,DE"

and the output would be the same as with the use of the -c option:

Current IP count for query port:22 country:"CZ" is 83007
Current IP count for query port:23 country:"CZ" is 21143
Current IP count for query port:22 country:"DE" is 1467418
Current IP count for query port:23 country:"DE" is 31595

The original “country” options are still present but will be removed in future versions.

You may download the latest version of TriOp from my GitHub.

SANS ISC Diary - Qakbot in a response to Full Disclosure post

Jan Kopriva — Tue, 23 Feb 2021 11:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting e-mail message carrying Qakbot downloader, which appeared to be sent in a response to a historical Full Disclosure mailing list post…

SANS ISC Diary - Agent Tesla hidden in a historical anti-malware tool

Jan Kopriva — Thu, 11 Feb 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting sample of Agent Tesla, which was hidden in the code of a legitimate historical anti-malware tool…

SANS ISC Diary - TriOp - tool for gathering (not just) security-related data from Shodan.io

Jan Kopriva — Wed, 27 Jan 2021 11:00:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at TriOp - my recently published tool, which enables anyone to periodically gather interesting data from Shodan.

SANS ISC Diary - From a small BAT file to Mass Logger infostealer

Jan Kopriva — Mon, 04 Jan 2021 15:50:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting BAT file from 2020, which turned out to be a downloader for the Mass Logger infostealer.