SANS ISC Diary on Untrusted Network

SANS ISC Diary - Simple bypass of the link preview function in Outlook Junk folder

Jan Kopriva — Thu, 14 May 2026 08:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll look at a simple way to bypass the link preview functionality that Oulook provides for messages in the Junk folder…

SANS ISC Diary - How often are redirects used in phishing in 2026?

Jan Kopriva — Mon, 06 Apr 2026 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll find out how often open redirect mechanisms were misused in phishing messages in the first quarter of 2026…

SANS ISC Diary - A React-based phishing page with credential exfiltration via EmailJS

Jan Kopriva — Fri, 13 Mar 2026 08:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting phishing site, which was implemented as a React single-page application….

SANS ISC Diary - Another day, another malicious JPEG

Jan Kopriva — Mon, 23 Feb 2026 15:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent malspam campagin delivering a multi-stage infection chain involving a JScript downloader, WMI-spawned PowerShell, and an in-memory .NET assembly extracted from a JPEG file…

SANS ISC Diary - A phishing campaign with QR codes rendered using an HTML table

Jan Kopriva — Wed, 07 Jan 2026 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing campaign, in which QR codes were implemented with the help of HTML tables instead of images…

SANS ISC Diary - Positive trends related to public IP ranges from the year 2025

Jan Kopriva — Thu, 18 Dec 2025 09:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a few positive trends related to public IP ranges from the past twelve months…

SANS ISC Diary - Use of CSS stuffing as an obfuscation technique?

Jan Kopriva — Fri, 21 Nov 2025 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing page, which - probably as an obfusctaion technique - contained a large amount of garbage CSS code…

SANS ISC Diary - A phishing with invisible characters in the subject line

Jan Kopriva — Tue, 28 Oct 2025 10:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual phishing message which contained “invisible” characters in its subject line…

SANS ISC Diary - A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years

Jan Kopriva — Tue, 02 Sep 2025 10:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss the analysis of approximately 1,900 sextortion e-mails spanning years 2021-2025, and look at interesting statistical data that resulted from this analysis…

SANS ISC Diary - Do sextortion scams still work in 2025?

Jan Kopriva — Wed, 06 Aug 2025 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss whether sextortion scams are still effective in 2025…

SANS ISC Diary - How quickly do we patch? A quick look from the global viewpoint

Jan Kopriva — Mon, 21 Jul 2025 13:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how quickly do we – as a global society – patch actively-exploited vulnerabilities when it comes to our internet-facing systems…

SANS ISC Diary - Phishing e-mail that hides malicious link from Outlook users

Jan Kopriva — Wed, 04 Jun 2025 12:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting phishing e-mail that hides the link to a malicious site from Oulook users…

SANS ISC Diary - Another day, another phishing campaign abusing google.com open redirects

Jan Kopriva — Wed, 14 May 2025 12:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an actively exploited open redirect vulnerability in Google Travel service that enables threat actors to craft links pointing to www.google.com which cause redirection to an arbitrary URL…

SANS ISC Diary - It's 2025... so why are obviously malicious advertising URLs still going strong?

Jan Kopriva — Mon, 21 Apr 2025 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing campaign, in which Google Ad service was used for redirection of victims, and at security weaknesses of web-based ad services in general…

SANS ISC Diary - A Tale of Two Phishing Sites

Jan Kopriva — Fri, 28 Mar 2025 13:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at two phishing sites based on the same phishing kit, that differed significantly (not just) in the level of obfuscation…

SANS ISC Diary - SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die?

Jan Kopriva — Fri, 07 Feb 2025 11:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an upcoming 30-year anniversary of the publication of SSL 2.0, and on the number of internet-exposed systems that still support this protocol…

SANS ISC Diary - An unusual 'shy z-wasp' phishing

Jan Kopriva — Mon, 27 Jan 2025 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual phishing message, in which two different techniques for splitting text using unrendered characters were used with the intention of bypassing security scans…

SANS ISC Diary - Changes in SSL and TLS support in 2024

Jan Kopriva — Mon, 30 Dec 2024 12:25:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in SSL/TLS support on web servers and e-mail servers during the 12 months of 2024…

SANS ISC Diary - The strange case of disappearing Russian servers

Jan Kopriva — Mon, 25 Nov 2024 08:14:15 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent significant decrease in the number of servers seen by Shodan in Russia…

SANS ISC Diary - Self-contained HTML phishing attachment using Telegram to exfiltrate stolen credentials

Jan Kopriva — Mon, 28 Oct 2024 08:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an HTML phishing attachment which used Telegram to send stolen credentials back to its authors…

SANS ISC Diary - Phishing links with @ sign and the need for effective security awareness building

Jan Kopriva — Mon, 23 Sep 2024 08:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at misuse of the user information string in a URL, and at the topic of effective security awareness building in relation to phishing…

SANS ISC Diary - Script obfuscation using multiple instances of the same function

Jan Kopriva — Mon, 05 Aug 2024 08:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting script obfuscation technique…

SANS ISC Diary - 'Reply-chain phishing' with a twist

Jan Kopriva — Tue, 16 Jul 2024 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual “reply-chain” phishing technique…

SANS ISC Diary - Support of SSL 2.0 on web servers in 2024

Jan Kopriva — Fri, 28 Jun 2024 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of web server that still support SSL v2.0…

SANS ISC Diary - Files with TXZ extension used as malspam attachments

Jan Kopriva — Mon, 27 May 2024 08:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at recent malspam campaigns distributing files with the TXZ extension…

SANS ISC Diary - It appears that the number of industrial devices accessible from the internet has risen by 30 thousand over the past three years

Jan Kopriva — Mon, 22 Apr 2024 12:25:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of internet-exposed industrial control systems…

SANS ISC Diary - The xz-utils backdoor in security advisories by national CSIRTs

Jan Kopriva — Mon, 01 Apr 2024 13:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of security advisories published by national and governmental CSIRTs in connection with the backdoor in xz-utils…

SANS ISC Diary - Increase in the number of phishing messages pointing to IPFS and to R2 buckets

Jan Kopriva — Thu, 14 Mar 2024 09:55:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recent rise in the number of phishing messages pointing to IPFS and R2 buckets…

SANS ISC Diary - Phishing pages hosted on archive.org

Jan Kopriva — Wed, 21 Feb 2024 08:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at hosting of phishing pages on archive.org…

SANS ISC Diary - Computer viruses are celebrating their 40th birthday (well, 54th, really)

Jan Kopriva — Tue, 06 Feb 2024 10:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting anniversary related to computer viruses…

SANS ISC Diary - Interesting large and small malspam attachments from 2023

Jan Kopriva — Wed, 03 Jan 2024 15:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the largest and smallest malware samples, that my malspam traps caught last year…

SANS ISC Diary - Whose packet is it anyway: a new RFC for attribution of internet probes

Jan Kopriva — Wed, 06 Dec 2023 11:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a recently published RFC which provides way for network scans performed over the internet to be attributed…

SANS ISC Diary - Phishing page with trivial anti-analysis features

Jan Kopriva — Fri, 17 Nov 2023 11:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing page with easily bypassed anti-analysis features…

SANS ISC Diary - Are typos still relevant as an indicator of phishing?

Jan Kopriva — Mon, 16 Oct 2023 09:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll discuss whether typos are still useful as an indicator of phishing…

SANS ISC Diary - A new spin on the ZeroFont phishing technique

Jan Kopriva — Tue, 26 Sep 2023 11:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a novel phishing technique, in which text written in zero-size font is used in order to make messages appear more trustworthy…

SANS ISC Diary - The low, low cost of (committing) cybercrime

Jan Kopriva — Thu, 31 Aug 2023 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a simple phishing which demonstrates quite well that the cost of committing cybercrime can unfortunately be extremely low…

SANS ISC Diary - From small LNK to large malicious BAT file with zero VT score

Jan Kopriva — Thu, 03 Aug 2023 18:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malicious BAT file which was used in a phishing campaign last week and according to VirusTotal is still being detected as benign by all anti-virus engines it has access to…

SANS ISC Diary - Kazakhstan - the world's last SSLv2 superpower... and a country with potentially vulnerable last-mile internet infrastructure

Jan Kopriva — Wed, 28 Jun 2023 08:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a surprisingly high number of old network devices in Kazakhstan, which still support SSL version 2.0…

SANS ISC Diary - After 28 years, SSLv2 is still not gone from the internet... but we're getting there

Jan Kopriva — Thu, 01 Jun 2023 10:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how SSLv2 support on web servers connected to the internet is slowly “dying off”…

SANS ISC Diary - Ongoing Facebook phishing campaign without a sender and (almost) without links

Jan Kopriva — Mon, 15 May 2023 09:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting, long-term phishing campaign targeting Facebook users…

SANS ISC Diary - 'Passive' analysis of a phishing attachment

Jan Kopriva — Mon, 01 May 2023 12:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a “passive”, OPSEC-friendly approach to the analysis of HTML phishing attachments…

SANS ISC Diary - The strange case of Great honeypot of China

Jan Kopriva — Mon, 17 Apr 2023 10:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a sharp increase of Shodan’s detections of honeypots in China…

SANS ISC Diary - Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains

Jan Kopriva — Fri, 31 Mar 2023 14:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of security-related HTTP headers that are able to prevent “framing attacks” on one million most commonly visited domains…

SANS ISC Diary - IPFS phishing and the need for correctly set HTTP security headers

Jan Kopriva — Wed, 15 Mar 2023 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at several phishing pages hosted on a disributed file system IPFS and shortly dicuss the potential of HTTP security headers to serve as a defense against phishing…

SANS ISC Diary - HTML phishing attachment with browser-in-the-browser technique

Jan Kopriva — Thu, 16 Feb 2023 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of “browser-in-the-browser” technique in a generic phishing campaign…

SANS ISC Diary - SPF and DMARC use on 100k most popular domains

Jan Kopriva — Thu, 19 Jan 2023 12:40:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at SPF and DMARC use on world’s most popular domains…

SANS ISC Diary - Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog

Jan Kopriva — Wed, 11 Jan 2023 12:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new function of my TriOp tool and its use for passive identification of systems affected by vulnerabilities listed in the CISA KEV Catalog…

SANS ISC Diary - SPF and DMARC use on GOV domains in different ccTLDs

Jan Kopriva — Fri, 30 Dec 2022 16:45:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the use of SPF and DMARC on second-level governmental domains in different ccTLDs…

SANS ISC Diary - Traffic Light Protocol (TLP) 2.0 is here

Jan Kopriva — Thu, 04 Aug 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the Traffic Light Protocol standard, which was published by FIRST earlier this week…

SANS ISC Diary - EternalBlue 5 years after WannaCry and NotPetya

Jan Kopriva — Tue, 05 Jul 2022 10:35:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of internet-exposed systems that are still vulnerable to the EternalBlue exploit…

SANS ISC Diary - HTML phishing attachments - now with anti-analysis features

Jan Kopriva — Wed, 01 Jun 2022 12:05:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an unusual use of anti-debugging/anti-analysis techniques in a phishing page…

SANS ISC Diary - Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign...

Jan Kopriva — Wed, 18 May 2022 07:50:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a sophisticated phishing campaign that offered 30 BTC (in someone else’s account) in an attempt to get victims to send it money…

SANS ISC Diary - What is the simplest malware in the world?

Jan Kopriva — Fri, 06 May 2022 09:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at what might be the simplest malware in the world…

SANS ISC Diary - MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering

Jan Kopriva — Wed, 27 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a new version of the MITRE ATT&CK framework, which was published this week…

SANS ISC Diary - How is Ukrainian internet holding up during the Russian invasion?

Jan Kopriva — Wed, 13 Apr 2022 11:30:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the impact of the current war in Ukraine on the country’s internet…

SANS ISC Diary - Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW

Jan Kopriva — Wed, 26 Jan 2022 12:20:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the high number of HP servers that have their out-of-band configuration interface exposed to the internet…

SANS ISC Diary - Phishing e-mail with...an advertisement?

Jan Kopriva — Tue, 18 Jan 2022 10:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual phishing message that contained text reminiscent of an advertisement for Xerox products…

SANS ISC Diary - Do you want your Agent Tesla in the 300 MB or 8 kB package?

Jan Kopriva — Fri, 31 Dec 2021 13:15:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at some of the largest and smallest malicious PE files that were caught by my malspam trap in 2021…

SANS ISC Diary - PowerPoint attachments, Agent Tesla and code reuse in malware

Jan Kopriva — Mon, 20 Dec 2021 17:00:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam message with macro-enabled PowerPoint attachment that turned out to be first stage of an Agent Tesla infection chain…

SANS ISC Diary - Phishing page hiding itself using dynamically adjusted IP-based allow list

Jan Kopriva — Wed, 24 Nov 2021 12:10:00 +0100

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at an interesting protection mechanism used on a phishing site to deny access to it to anyone but the victim who first clicked the link in a phishing mail…

SANS ISC Diary - TLS 1.3 and SSL - the current state of affairs

Jan Kopriva — Tue, 28 Sep 2021 11:20:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the current state of adoption of TLS 1.3 and disposal of SSL 2.0 and 3.0…

SANS ISC Diary - Phishing 101: why depend on one suspicious message subject when you can use many?

Jan Kopriva — Thu, 16 Sep 2021 09:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing that tried to use multiple suspicious message subjects to lure the recipient to a phishing site…

SANS ISC Diary - There may be (many) more SPF records than we might expect

Jan Kopriva — Wed, 25 Aug 2021 11:55:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the surprisingly high number of SPF records set for domains in the CZ TLD…

SANS ISC Diary - ProxyShell - how many Exchange servers are affected and where are they?

Jan Kopriva — Mon, 09 Aug 2021 12:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Exchange serveres vulnerable to the ProxyShell attack…

SANS ISC Diary - A sextortion e-mail from...IT support?!

Jan Kopriva — Wed, 28 Jul 2021 08:35:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a slightly unusual sextortion phishing, in which its author claimed to work for an IT service company hired by recipients e-mail provider…

SANS ISC Diary - One way to fail at malspam - give recipients the wrong password for an encrypted attachment

Jan Kopriva — Wed, 14 Jul 2021 13:10:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a malspam campaign, whose authors failed to include a correct password to decrypt the malicious attachment…

SANS ISC Diary - Phishing asking recipients not to report abuse

Jan Kopriva — Tue, 22 Jun 2021 15:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at a phishing message that ended with an unusual request…

SANS ISC Diary - Architecture, compilers and black magic, or 'what else affects the ability of AVs to detect malicious files'

Jan Kopriva — Wed, 09 Jun 2021 13:25:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how the use of a compiler affects the ability of anti-malware tools to detect malicious code…

SANS ISC Diary - All your Base are...nearly equal when it comes to AV evasion, but 64-bit executables are not

Jan Kopriva — Thu, 27 May 2021 11:30:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the difference (or lack thereof) different binary-to-text encodings make when it comes to anti-malware evasion…

SANS ISC Diary - Number of industrial control systems on the internet is lower then in 2020...but still far from zero

Jan Kopriva — Wed, 12 May 2021 13:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at the number of Industrial Control Systems accessible from the internet…

SANS ISC Diary - Hunting phishing websites with favicon hashes

Jan Kopriva — Mon, 19 Apr 2021 11:15:00 +0200

A new Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at how HTTP favicon hashes may be used to identify IP addresses hosting phishing websites…

SANS ISC Diary - Malspam with Lokibot vs. Outlook and RFCs

Jan Kopriva — Tue, 06 Apr 2021 18:30:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In it, we’ll take a look at an interesting malspam message carrying the Lokibot infostealer and also causing quite unusual behavior in Outlook…

SANS ISC Diary - Old TLS versions - gone, but not forgotten... well, not really 'gone' either

Jan Kopriva — Tue, 30 Mar 2021 10:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center website. In this one, we’ll take a look at changes in the number of web servers, which support TLS 1.0 and TLS 1.1…

SANS ISC Diary - 50 years of malware? Not really. 50 years of computer worms? That's a different story...

Jan Kopriva — Tue, 16 Mar 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at Creeper, the first computer worm, which was created 50 years ago - according to some sources, on this very day in 1971…

SANS ISC Diary - Qakbot in a response to Full Disclosure post

Jan Kopriva — Tue, 23 Feb 2021 11:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting e-mail message carrying Qakbot downloader, which appeared to be sent in a response to a historical Full Disclosure mailing list post…

SANS ISC Diary - Agent Tesla hidden in a historical anti-malware tool

Jan Kopriva — Thu, 11 Feb 2021 08:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting sample of Agent Tesla, which was hidden in the code of a legitimate historical anti-malware tool…

SANS ISC Diary - TriOp - tool for gathering (not just) security-related data from Shodan.io

Jan Kopriva — Wed, 27 Jan 2021 11:00:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at TriOp - my recently published tool, which enables anyone to periodically gather interesting data from Shodan.

SANS ISC Diary - From a small BAT file to Mass Logger infostealer

Jan Kopriva — Mon, 04 Jan 2021 15:50:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting BAT file from 2020, which turned out to be a downloader for the Mass Logger infostealer.

SANS ISC Diary - TLS 1.3 is now supported by about 1 in every 5 HTTPS servers

Jan Kopriva — Wed, 30 Dec 2020 12:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the increse in support of TLS 1.3 by HTTPS servers and the decrease in support of SSL 2.0.

SANS ISC Diary - Want to know what's in a folder you don't have a permission to access? Try asking your AV solution...

Jan Kopriva — Tue, 29 Dec 2020 15:20:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look a small issue present in many anti-malware tools, which may be used to bypass file system level folder listing permissions.

SANS ISC Diary - A slightly optimistic tale of how patching went for CVE-2019-19781

Jan Kopriva — Fri, 18 Dec 2020 10:00:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at how many publicly accessible systems are still vulnerable to CVE-2019-19781, AKA Shitrix.

SANS ISC Diary - Vulnerabilities don’t disappear just because we don’t talk about them anymore

Jan Kopriva — Mon, 16 Nov 2020 11:08:20 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at couple of pre-2020 high-impact vulnerabilities, which still affect surprising number of publicly accessible systems.

SANS ISC Diary - SMBGhost - the critical vulnerability many seem to have forgotten to patch

Jan Kopriva — Wed, 28 Oct 2020 11:00:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the concerning number of machines connected to the internet, that are still not patched for the critical SMBGhost vulnerability.

SANS ISC Diary - BazarLoader phishing lures: plan a Halloween party, get a bonus and be fired in the same afternoon

Jan Kopriva — Thu, 22 Oct 2020 11:00:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at phishing campaigns spreading BazarLoader malware and the lures which they use.

SANS ISC Diary - Phishing kits as far as the eye can see

Jan Kopriva — Fri, 09 Oct 2020 07:40:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at phishing kits, which are offered on the indexed part of the web.

SANS ISC Diary - Slightly broken overlay phishing

Jan Kopriva — Mon, 21 Sep 2020 12:50:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at an interesting (and slightly broken) phishing campaign, which overlays legitimate pages with fake login prompts.

SANS ISC Diary - A blast from the past - XXEncoded VB6.0 Trojan

Jan Kopriva — Fri, 04 Sep 2020 09:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a campaign in which the malicious actors decided to go reall “old school” when it comes to file formats they would use.

SANS ISC Diary - Security.txt - one small file for an admin, one giant help to a security researcher

Jan Kopriva — Thu, 27 Aug 2020 09:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the draft standard for “A File Format to Aid in Security Vulnerability Disclosure”, better known as security.txt.

SANS ISC Diary - Definition of 'overkill' - using 130 MB executable to hide 24 kB malware

Jan Kopriva — Fri, 14 Aug 2020 14:20:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a 130 MB EXE carrying within it a 24 kB malicious payload.

SANS ISC Diary - What pages do bad bots look for?

Jan Kopriva — Sat, 01 Aug 2020 16:15:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at which interesting pages “bad” bots look for the most on web servers.

SANS ISC Diary - Couple of interesting Covid-19 related stats

Jan Kopriva — Tue, 21 Jul 2020 10:55:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at how regional travel restrictions impact (or don’t) the number of IP addresses which expose remote access protocols to the internet.

SANS ISC Diary - Using Shell Links as zero-touch downloaders and to initiate network connections

Jan Kopriva — Wed, 24 Jun 2020 09:45:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a weakness handling of LNK files in Windows, through which one may force the OS to download an arbitrary file from a remote server any time the shortcut file is displayed.

SANS ISC Diary - Broken phishing accidentally exploiting Outlook zero-day

Jan Kopriva — Thu, 18 Jun 2020 11:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a phishing, which accidentally exploited a 0-day vulnerability in Outlook, which allows for creation or modification of links when an e-mail is forwarded by Outlook.

SANS ISC Diary - Frankenstein's phishing using Google Cloud Storage

Jan Kopriva — Wed, 27 May 2020 10:40:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a strange phishing campaign, which was, due to combination of quite sophisticated and extremely amateurish components, reminiscent of the creation of Shelley’s Dr. Frankenstein.

SANS ISC Diary - Agent Tesla delivered by the same phishing campaign for over a year

Jan Kopriva — Tue, 28 Apr 2020 08:45:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a phishing campaign that has been running almost unchanged for more than a year and seems to be distributing exclusively Agent Tesla.

SANS ISC Diary - Look at the same phishing campaign 3 months apart

Jan Kopriva — Mon, 13 Apr 2020 11:35:00 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at two phishing e-mails from the same campaign sent out 3 months apart.

SANS ISC Diary - Crashing explorer.exe with(out) a click

Jan Kopriva — Mon, 30 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles self-referential links, which makes it possible to use specially crafted URL and LNK files to crash Explorer.

SANS ISC Diary - Desktop.ini as a post-exploitation tool

Jan Kopriva — Mon, 16 Mar 2020 07:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at a vulnerability in the way Windows handles desktop.ini files, which makes it possible to use them as an interesting post-exploitation tool.

UPDATE 27. 5. 2020: I put together a shor video demonstrating the vulnerabiltiy while preparing materials for SANSFIRE 2020. You may find it here.

SANS ISC Diary - Secure vs. cleartext protocols – couple of interesting stats

Jan Kopriva — Mon, 02 Mar 2020 06:55:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we delve into the support of HTTP and HTTPS among web servers on the internet, as well as support for Telnet and SSH, over the last six months.

SANS ISC Diary - Quick look at a couple of current online scam campaigns

Jan Kopriva — Tue, 25 Feb 2020 06:57:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at couple of online scam campaigns I came accross in the last weeks. A closer look at one of the landing pages used in the campaign, which was almost certainly authored by the FizzCore group, may be found here (in Czech).

SANS ISC Diary - Discovering contents of folders in Windows without permissions

Jan Kopriva — Tue, 18 Feb 2020 07:18:21 +0100

A Diary of mine was published today on the SANS Internet Storm Center. This one deals with a strange side effect of the way in which Windows deals with file permissions, which enables any user, regardless of permissions, to brute-force contents of any local folder.

UPDATE 20. 5. 2020: I put together a shor video demonstrating the weakness/vulnerability while preparing materials for SANSFIRE 2020. You may find it here.

SANS ISC Diary - Current PayPal phishing campaign or 'give me all your personal information'

Jan Kopriva — Mon, 10 Feb 2020 09:37:58 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a current phishing campaign which shows quite well the current “let’s get all the users' data” mentality of the attackers.

SANS ISC Diary - Analysis of a triple-encrypted AZORult downloader

Jan Kopriva — Mon, 03 Feb 2020 07:45:10 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at analysis of an interesting malicious document which turned out to be AZORult downloader. What made it stand out - among its other aspects - were 3 layers of home-grown encryption…

EDIT 04/02/2020: Tom from Threat Post liked the diary and wrote an article based on it - you may find it here.

SANS ISC Diary - Picks of 2019 malware - the large, the small and the one full of null bytes

Jan Kopriva — Thu, 16 Jan 2020 07:52:08 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at what last year brought us, when it comes to malware delivered by e-mail, specifically at the smallest and largest malicious files I found in my e-mail quarantine.

SANS ISC Diary - Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!

Jan Kopriva — Fri, 13 Dec 2019 08:22:37 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at the use of TLS (and SSL) on banking sites all over the world.

SANS ISC Diary - Phishing with a self-contained credential-stealing webpage

Jan Kopriva — Fri, 06 Dec 2019 07:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at an interesting phishing message, which carried a complete phishing web page as its attachment.

SANS ISC Diary - E-mail from Agent Tesla

Jan Kopriva — Thu, 05 Dec 2019 07:30:00 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a multi-stage downloader for Agent Tesla.

SANS ISC Diary - Analysis of a strangely poetic malware

Jan Kopriva — Wed, 04 Dec 2019 08:14:33 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at a macro-based dropper sent to the Internet Storm Center by one of our readers.

SANS ISC Diary - Lessons learned from playing a willing phish

Jan Kopriva — Tue, 26 Nov 2019 12:08:19 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one we take a look at baiting phishing attackers and at some of the lessons we may learn from it.

SANS ISC Diary - Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?

Jan Kopriva — Sun, 10 Nov 2019 11:55:40 +0100

A Diary of mine was published today on the SANS Internet Storm Center. If you wondered whether the recent “BlueKeep worm scare” had any impact when it comes to the number of vulnerable systems out there, then this one is for you.

EDIT 13/11/2019: Shaun from The Register liked the post and wrote an article based on it - you may find it here.

SANS ISC Diary - EML attachments in O365 - a recipe for phishing

Jan Kopriva — Thu, 31 Oct 2019 11:15:35 +0100

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at the absence of filtering of EML attachments in O365 and what it can lead to.

SANS ISC Diary - Phishing e-mail spoofing SPF-enabled domain

Jan Kopriva — Thu, 17 Oct 2019 11:49:25 +0200

A Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at SPF and when even SPF-enabled domains may be spoofed.

SANS ISC Diary - Tricky LNK points to TrickBot

Jan Kopriva — Tue, 03 Sep 2019 13:06:21 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. In this one, we take a look at analyzing a malicious LNK file which leads us to a sample of Trickbot.

SANS ISC Diary - Open Redirect: A Small But Very Common Vulnerability

Jan Kopriva — Wed, 28 Aug 2019 14:27:02 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. In this one, I discuss open redirect vulnerabilities and how to find them. If you’ve never heard of open redirects, this might be a useful introductory text.

SANS ISC Diary - The good, the bad and the non-functional

Jan Kopriva — Thu, 08 Aug 2019 21:31:08 +0200

A Guest Diary of mine was published today on the SANS Internet Storm Center. If you’ve wondered how do the less usual cyber attacks look, it might be worth a read…