2022 on Untrusted Network

SANS ISC Diary - SPF and DMARC use on GOV domains in different ccTLDs

Jan Kopriva — Fri, 30 Dec 2022 16:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of SPF and DMARC on second-level governmental domains in different ccTLDs…

Presentations from 67th TF-CSIRT meeting - Threat modeling with ATT&CK and How quickly do we patch?

Jan Kopriva — Sat, 01 Oct 2022 10:40:00 +0100

67th meeting of the TF-CSIRT community took place this week and I’ve had a chance to contribute to it with two presentations - one discussing the speed with which we apply patches (from a global standpoint), and another one, in which we looked at a basic approach to threat modeling using MITRE ATT&CK. If you would like to take a look at the slides, you may find them here - even if you didn’t have a chance to attend the event, I believe they might be useful.

SANS ISC Diary - Traffic Light Protocol (TLP) 2.0 is here

Jan Kopriva — Thu, 04 Aug 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the Traffic Light Protocol standard, which was published by FIRST earlier this week…

SANS ISC Diary - EternalBlue 5 years after WannaCry and NotPetya

Jan Kopriva — Tue, 05 Jul 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of internet-exposed systems that are still vulnerable to the EternalBlue exploit…

Malware analysis - 'video write-up' of one of the ECSC 2021 challenges

Jan Kopriva — Tue, 21 Jun 2022 08:25:00 +0100

I published a new video on the Untrusted Network YouTube channel today, which shows one possible solution for a “malware analysis task” which I prepared for the final round of last year’s European Cyber Security Challenge. If you would like to take a closer look at the multi-stage “malware” which contestants in the ECSC 2021 had to analyze, or if you would like to try to analyze the sample yourself, now you have a chance to do so - you will find further information in the following video.

The video is also available in a Czech language version.

SANS ISC Diary - HTML phishing attachments - now with anti-analysis features

Jan Kopriva — Wed, 01 Jun 2022 12:05:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual use of anti-debugging/anti-analysis techniques in a phishing page…

SANS ISC Diary - Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...

Jan Kopriva — Wed, 18 May 2022 07:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a sophisticated phishing campaign that offered 30 BTC (in someone else’s account) in an attempt to get victims to send it money…

SANS ISC Diary - What is the simplest malware in the world?

Jan Kopriva — Fri, 06 May 2022 09:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at what might be the simplest malware in the world…

SANS ISC Diary - MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering

Jan Kopriva — Wed, 27 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the MITRE ATT&CK framework, which was published this week…

SANS ISC Diary - How is Ukrainian internet holding up during the Russian invasion?

Jan Kopriva — Wed, 13 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the impact of the current war in Ukraine on the country’s internet…

Log4shell Lightning talk - 2022 TF-CSIRT Meeting & FIRST Regional Symposium Europe

Jan Kopriva — Mon, 14 Mar 2022 09:00:00 +0100

Few weeks ago, I attended the 2022 TF-CSIRT Meeting & FIRST Regional Symposium Europe and gave a lighting talk there discussing couple of interesting trends seen in Log4shell exploitation attempts and the possibility to create a simple generic defense agains similar attacks in the future. Recordings of all the talks are now available on YouTube and you may find my lightning talk in the video under this paragraph or on this link. Lightning talks were supposed to be only 5 minutes long and I went significantly over the allocated time, but I hope that most attendees didn’t mind it too much…

SANS ISC Diary - Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW

Jan Kopriva — Wed, 26 Jan 2022 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the high number of HP servers that have their out-of-band configuration interface exposed to the internet…

SANS ISC Diary - Phishing e-mail with...an advertisement?

Jan Kopriva — Tue, 18 Jan 2022 10:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual phishing message that contained text reminiscent of an advertisement for Xerox products…

Podcast with Gaper.io about (not just) work from home security

Jan Kopriva — Fri, 14 Jan 2022 14:00:00 +0100

I’ve been invited to do a podcast with Gaper.io some time back, and the resulting recording was published today. Mark Allen, Gaper’s business development director, and I spent nearly 20 minutes talking about different security aspects of work from home, general security awareness and several other topics. If you’re looking for a light, security-related podcast listen to, this one might not be a bad choice…

Open ports statistics for 2021

Jan Kopriva — Wed, 05 Jan 2022 07:30:00 +0200

The year 2021 is behind us which means that the time has come for us to take a look at how the internet changed over its 365 days.

As always, the data, on which the following charts are based, have been gathered using Shodan. Therefore bear in mind that although the charts should give us a good enough view of more significant changes, they may not be completely accurate (see the first post with quarterly statistics.

It should be mentioned that since Shodan started offering a new service called Trends few months back, which enables one to quickly view similar charts as the ones bellow for arbitrary search queries, this may be the last post in the “Open port statistics” series, since these are somewhat superfluous given the new service… Althoug, since Shodan Trends displays only “high-level” charts with significantly lower level of precission (it seems that it uses either an average or a median for each month, whereas the following charts show precise values returned by Shodan on each day in the year), maybe I’ll decide to keep posting these at least on a yearly basis - we’ll see…

Should you be interested in the port situation in the Czech Republic, you may find corresponding charts here.

Bellow, you may find charts for the following protocols and ports:

2022 on Untrusted Network

SANS ISC Diary - SPF and DMARC use on GOV domains in different ccTLDs

Presentations from 67th TF-CSIRT meeting - Threat modeling with ATT&CK and How quickly do we patch?

SANS ISC Diary - Traffic Light Protocol (TLP) 2.0 is here

SANS ISC Diary - EternalBlue 5 years after WannaCry and NotPetya

Malware analysis - 'video write-up' of one of the ECSC 2021 challenges

SANS ISC Diary - HTML phishing attachments - now with anti-analysis features

SANS ISC Diary - Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...

SANS ISC Diary - What is the simplest malware in the world?

SANS ISC Diary - MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering

SANS ISC Diary - How is Ukrainian internet holding up during the Russian invasion?

Log4shell Lightning talk - 2022 TF-CSIRT Meeting & FIRST Regional Symposium Europe

SANS ISC Diary - Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW

SANS ISC Diary - Phishing e-mail with...an advertisement?

Podcast with Gaper.io about (not just) work from home security

Open ports statistics for 2021

Web

E-mail

SSL/TLS

Industrial Control Systems (ICS)

SSH (port 22)

Telnet (port 23)

DNS (port 53)

NTP (port 123)

SNMP (port 161)

SMB (port 445)

RDP (port 3389)

Web

HTTP (port 80)

HTTPS (port 443)

TLS 1.3 (port 443)

TLS 1.2 (port 443)

TLS 1.1 (port 443)

TLS 1.0 (port 443)

SSL 3.0 (port 443)

SSL 2.0 (port 443)

E-mail

SMTP (port 25)

SMTPS (port 465)

IMAP (port 143)

IMAPS (port 993)

POP3 (port 110)

POP3S (port 995)

SSL/TLS

TLS 1.3 (all ports)

TLS 1.2 (all ports)

TLS 1.1 (all ports)

TLS 1.0 (all ports)

SSL 3.0 (all ports)

SSL 2.0 (all ports)

Industrial Control Systems

All ICS protocols

Modbus (port 502)

EIBnet/IP (port 3671)

BACnet/IP (port 47808)