# SANS ISC

• Spotting the Red Team on VirusTotal!, (Sat, Mar 6th) Sat, 06 Mar 2021 07:12:32 GMT
  Many security researchers&#;x26;#;xc2;&#;x26;#;xa0;like to use the&#;x26;#;xc2;&#;x26;#;xa0;VirusTotal platform. The provided services are amazing: You can immediately have a clear overview of the dangerousness level of a file but...&#;x26;#;xc2;&#;x26;#;xa0;VirusTotal remains a cloud service.&#;x26;#;xc2;&#;x26;#;xa0;It means that, once you uploaded a file to scan it, you have to consider it as "lost" and available to a lot of (good or bad) people&#;x26;#;x21; In the SANS FOR610 training ("Reverse Engineering&#;x26;#;xc2;&#;x26;#;xa0;Malware"), we insist on the fact that you should avoid uploading a file to VT&#;x26;#;x21; &#;x26;#;xc2;&#;x26;#;xa0;The best practice is to compute the file hash then&#;x26;#;xc2;&#;x26;#;xa0;search for it to see if someone else already uploaded the same sample. If you&#;x26;#;39;re the first to upload a file, its creator can be notified about the upload and learn that he has been detected. Don&#;x26;#;39;t be fooled: attackers have also access to VirusTotal and monitor activity around their malware&#;x26;#;x21; Note that I mention VirusTotal because it is very popular but is not the only service providing repositories of malicious files, they are plenty of alternative services to scan and store malicious files.
• ISC Stormcast For Friday, March 5th, 2021 https://isc.sans.edu/podcastdetail.html?id=7400, (Fri, Mar 5th) Fri, 05 Mar 2021 12:05:03 GMT
• Spam Farm Spotted in the Wild, (Fri, Mar 5th) Fri, 05 Mar 2021 06:16:23 GMT
  If there is a place where you can always find juicy information, it&#;x26;#;39;s your spam folder! Yes, I like spam and I don&#;x26;#;39;t delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or "Non-Delivery Receipt" messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a "spam farm" based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That&#;x26;#;39;s why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The "good" point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That&#;x26;#;39;s what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:
• From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th) Thu, 04 Mar 2021 07:21:33 GMT
  VBS files are interesting to deliver malicious content to a victim&#;x26;#;39;s computer because they look like simple text files. I found an interesting sample that behaves like a dropper. But it looks also like Russian dolls seeing all the techniques used to drop a RAT at the end. The file hash is 8697dc74d7c07583f24488926fc6e117975f8a9f014972073d19a5e62d248ead and has a VT score of 12/59[1]. It was delivered by email under the name "Procurement - Attached RFQ 202102.vbs". If you filter attachments based on the MIME type, this file won&#;x26;#;39;t be detected as suspicious:
• ISC Stormcast For Thursday, March 4th, 2021 https://isc.sans.edu/podcastdetail.html?id=7398, (Thu, Mar 4th) Thu, 04 Mar 2021 02:25:03 GMT
• ISC Stormcast For Wednesday, March 3rd, 2021 https://isc.sans.edu/podcastdetail.html?id=7396, (Wed, Mar 3rd) Wed, 03 Mar 2021 02:05:03 GMT
• Qakbot infection with Cobalt Strike, (Wed, Mar 3rd) Wed, 03 Mar 2021 00:01:13 GMT
  Introduction
• Patch Now: HAFNIUM targeting Exchange Servers with 0day exploits https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/, (Tue, Mar 2nd) Tue, 02 Mar 2021 23:49:43 GMT
• 
Security Detection & Response Alert Output Usability Survey: https://www.surveymonkey.com/r/TAOvsVAO, (Tue, Mar 2nd) Tue, 02 Mar 2021 08:08:08 GMT
• Adversary Simulation with Sim, (Tue, Mar 2nd) Tue, 02 Mar 2021 08:06:19 GMT
  One of the best ways to test your detection portfolio is to emulate user actions on monitored systems.

# Reddit netsec

# Krebs On Security

• At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software Fri, 05 Mar 2021 21:07:07 +0000
  At least 30,000 organizations across the United States -- including a significant number of small businesses, towns, cities and local governments -- have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that's focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
• Three Top Russian Cybercrime Forums Hacked Thu, 04 Mar 2021 15:01:59 +0000
  Over the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums' user databases, including email and Internet addresses and hashed passwords.
• Microsoft: Chinese Cyberspies Used 4 Exchange Server Flaws to Plunder Emails Tue, 02 Mar 2021 21:19:17 +0000
  Microsoft Corp. today released software updates to plug four critical security holes that attackers have been using to plunder email communications at companies that use its Exchange Server products. The company says all four flaws are being actively exploited as part of a complex attack chain deployed by a previously unidentified Chinese cyber espionage group.