DecryptedTech

Friday01 July 2022

Displaying items by tag: cobalt strike

When most people think of malware, they think of binaries that are downloaded to a drive and executed. However, that is only part of the malware world. The other side does not actually download the malicious binary directly to the drive and often injects it directly into memory though the use of scripts. The name fileless is a bit of a misnomer as there are always files to be found in different stages of the attack, it is more to the point that much of the malicious work is doe through injection of code into legitimate processes without the need to write much of it to disk.

Published in Security Talk

It seems that there are still some MS SQL servers that are not only exposed to the open internet but are also still using weak passwords. When this is combined with vulnerabilities and the lack of other security controls and monitoring, it allows threat actors to compromise them. This is the case in a recently observed campaign where the attackers are targeting exposed MS SQL servers and injecting Cobalt Strike.

Published in Security Talk

A shell for me, a shell for you, a shell for everybody in the room. If you have not heard about Log4J and the associated vulnerabilities in versions between 2.0 and 2.16 you might have not been near a computer in quite a while. This Remote Code Execution vulnerability that has several CVEs (common vulnerabilities and exploits) associated with it is commonly lumped into the term Log4Shell. Log4J itself is a Java based Apache logging framework that is in widespread usage in many applications. The list of impacted applications is not, and may never be, known. Many vendors have release complex mitigation steps and patches, but many devices are not getting patched (nothing surprising here). This has allowed this vulnerability to become quickly weaponized and used in targeted attacks.

Published in Security Talk

In a list of things that should be killed with fire, Excel 4.0 Macros are high up. However, the fat that Spamming “services” like Emotet are still using Excel 4.0 Macros tells me that some are not getting the hint. According to recent research from TrendMicro, Emotet is using some very unconventional methods of obfuscating the C2 server IP addresses. The attack patter is the same, email with a poisoned Excel spreadsheet. This spreadsheet contains HTA with the command script, you know the drill.

Published in Security Talk