# SANS ISC

• Rig Exploit Kit Delivering VBScript, (Thu, Sep 12th) Fri, 13 Sep 2019 05:37:13 GMT
  I detected the following suspicious traffic on a corporate network. It was based on multiples infection stages and looked interesting enough to publish a diary about it. This is also a good reminder that, just by surfing the web, you can spot malicious scripts that will try to infect your computer (Exploit Kits).
• ISC Stormcast For Friday, September 13th 2019 https://isc.sans.edu/podcastdetail.html?id=6664, (Fri, Sep 13th) Fri, 13 Sep 2019 03:00:04 GMT
• Blocking Firefox DoH with Bind, (Thu, Sep 12th) Thu, 12 Sep 2019 07:18:07 GMT
  For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS[1]) by default in its Firefox browser. Since this announcement, Google also scheduled a move to this technology with the upcoming Chrome releases (this has been covered in today's podcast episode). My goal is not here to start a new debate. DoH has definitively good points regarding privacy but the problem is always the way it is implemented. In corporate environments, security teams will for sure try to avoid the use of DoH for logging reasons (DNS logs are a gold mine in incident management and forensics).
• ISC Stormcast For Thursday, September 12th 2019 https://isc.sans.edu/podcastdetail.html?id=6662, (Thu, Sep 12th) Thu, 12 Sep 2019 03:00:03 GMT
• ISC Stormcast For Wednesday, September 11th 2019 https://isc.sans.edu/podcastdetail.html?id=6660, (Wed, Sep 11th) Wed, 11 Sep 2019 03:00:03 GMT
• Microsoft September 2019 Patch Tuesday, (Tue, Sep 10th) Tue, 10 Sep 2019 18:42:03 GMT
• ISC Stormcast For Tuesday, September 10th 2019 https://isc.sans.edu/podcastdetail.html?id=6658, (Tue, Sep 10th) Tue, 10 Sep 2019 03:00:03 GMT
• ISC Stormcast For Monday, September 9th 2019 https://isc.sans.edu/podcastdetail.html?id=6656, (Mon, Sep 9th) Mon, 09 Sep 2019 03:00:02 GMT
• Unidentified Scanning Activity, (Sat, Sep 7th) Sun, 08 Sep 2019 11:05:28 GMT
  Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:
• PowerShell Script with a builtin DLL, (Fri, Sep 6th) Fri, 06 Sep 2019 05:33:09 GMT
  Attackers are always trying to bypass antivirus detection by using new techniques to obfuscate their code. I recently found a bunch of scripts that encode part of their code in Base64. The code is decoded at execution time and processed via the &#;x26;#;39;IEX&#;x26;#;39; command:

# Reddit netsec

# Krebs On Security

• NY Payroll Company Vanishes With $35 Million Wed, 11 Sep 2019 15:02:26 +0000
  MyPayrollHR, a now defunct cloud-based payroll processing firm based in upstate New York, abruptly ceased operations this past week after stiffing employees at thousands of companies. The ongoing debacle, which allegedly involves malfeasance on the part of the payroll company's CEO, resulted in countless people having money drained from their bank accounts and has left nearly $35 million worth of payroll and tax payments in legal limbo.
• Patch Tuesday, September 2019 Edition Tue, 10 Sep 2019 20:09:11 +0000
  Microsoft today issued security updates to plug some 80 security holes in various flavors of its Windows operating systems and related software. The software giant assigned a "critical" rating to almost a quarter of those vulnerabilities, meaning they could be used by malware or miscreants to hijack vulnerable systems with little or no interaction on the part of the user.
• Secret Service Investigates Breach at U.S. Govt IT Contractor Mon, 09 Sep 2019 16:47:56 +0000
  The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks.In mid-August, a member of a popular Russian-language cybercrime forum offered to sell access to the internal network of a U.S. government IT contractor that does business with more than 20 federal agencies, including several branches of the military. The seller bragged that he had access to email correspondence and credentials needed to view databases of the client agencies, and set the opening price at six bitcoins (~USD $60,000).