# SANS ISC

• ISC Stormcast For Friday, July 10th 2020 https://isc.sans.edu/podcastdetail.html?id=7074, (Fri, Jul 10th) Fri, 10 Jul 2020 02:00:03 GMT
• Excel spreasheet macro kicks off Formbook infection, (Fri, Jul 10th) Fri, 10 Jul 2020 00:03:22 GMT
  Introduction
• Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th) Thu, 09 Jul 2020 12:12:24 GMT
  I just can&#;x26;#;39;t get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week [1]. Details with proof of concept code snippets were released yesterday [2].
• ISC Stormcast For Thursday, July 9th 2020 https://isc.sans.edu/podcastdetail.html?id=7072, (Thu, Jul 9th) Thu, 09 Jul 2020 02:00:03 GMT
• If You Want Something Done Right, You Have To Do It Yourself... Malware Too!, (Wed, Jul 8th) Wed, 08 Jul 2020 05:13:33 GMT
  I&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;m teaching FOR610&#;x26;#;x5b;1&#;x26;#;x5d; this week and today&#;x26;#;xc2;&#;x26;#;xa0;is dedicated to malicious web and document files. That&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;s a good opportunity to share with you a Windows Script that uses a nice obfuscation technique. The attacker&#;x26;#;39;s&#;x26;#;xc2;&#;x26;#;xa0;idea is to use a big array containing the second stage payload and interesting strings:
• ISC Stormcast For Wednesday, July 8th 2020 https://isc.sans.edu/podcastdetail.html?id=7070, (Wed, Jul 8th) Wed, 08 Jul 2020 02:00:03 GMT
• F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th) Tue, 07 Jul 2020 20:12:05 GMT
  While monitoring SANS Storm Center&#;x26;#;39;s honeypots today, I came across the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed by a backdoor deployment attempt. The first one was seen by Johannes yesterday [1].
• Happy Birthday DShield: DShield.org was registered 20 years ago., (Tue, Jul 7th) Tue, 07 Jul 2020 18:07:14 GMT
  And all DShield wants for its Birthday is your logs :). See here for details.
• Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th) Tue, 07 Jul 2020 16:29:52 GMT
  Our honeypots have been busy collecting exploit attempts for CVE-2020-5902, the F5 Networks BigIP vulnerability patched last week. Most of the exploits can be considered recognizance. We only saw one working exploit installing a backdoor. Badpackets reported seeing a DDoS bot being installed.
• ISC Stormcast For Tuesday, July 7th 2020 https://isc.sans.edu/podcastdetail.html?id=7068, (Tue, Jul 7th) Tue, 07 Jul 2020 02:00:02 GMT

# Reddit netsec

# Krebs On Security

• E-Verify’s “SSN Lock” is Nothing of the Sort Sat, 04 Jul 2020 22:24:14 +0000
  One of the most-read advice columns on this site is a 2018 piece called "Plant Your Flag, Mark Your Territory," which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number -- which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security's myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.
• Ransomware Gangs Don’t Need PR Help Thu, 02 Jul 2020 01:10:45 +0000
  We've seen an ugly trend recently of tech news stories and cybersecurity firms trumpeting claims of ransomware attacks on companies large and small, apparently based on little more than the say-so of the ransomware gangs themselves. Such coverage is potentially quite harmful and plays deftly into the hands of organized crime.Often the rationale behind couching these events as newsworthy is that the attacks involve publicly traded companies or recognizable brands, and that investors and the public have a right to know. But absent any additional information from the victim company or their partners who may be affected by the attack, these kinds of stories and blog posts look a great deal like ambulance chasing and sensationalism.
• COVID-19 ‘Breach Bubble’ Waiting to Pop? Tue, 30 Jun 2020 15:00:48 +0000
  The COVID-19 pandemic has made it harder for banks to trace the source of payment card data stolen from smaller, hacked online merchants. On the plus side, months of quarantine have massively decreased demand for account information that thieves buy and use to create physical counterfeit credit cards. But fraud experts say recent developments suggest both trends are about to change -- and likely for the worse.