A few Ghidra tips for IDA users, part 4 - function call graphs, (Fri, Jun 14th)Fri, 14 Jun 2019 20:17:47 GMT One of the features of IDA that we use in FOR610 that can be helpful for detecting malicious patterns of API calls is the feature for creating a graph of all function calls called from the current function and any functions that it calls. The graph itself isn&#;x26;#;39;t all that pretty to look at, but it allows us to see if all the APIs in a particular pattern (code injection, for example) are made in the proper order. We do this by choosing View > Graphs > &#;x26;#;39;Xrefs from&#;x26;#;39; in the menus. In IDA, it looks like the following.
Interesting JavaScript Obfuscation Example, (Mon, Jun 10th)Mon, 10 Jun 2019 07:45:19 GMT Last Friday, one of our reader (thanks Mickael!) reported to us a phishing campaign based on a simple HTML page. He asked us how to properly extract the malicious code within the page. I did an analysis of the file and it looked interesting for a diary because a nice obfuscation technique was used in a Javascript file but also because the attacker tried to prevent automatic analysis by adding some boring code. In fact, the HTML page contains a malicious Word document encoded in Base64. HTML is wonderful because you can embed data into a page and the browser will automatically decode it. This is often used to deliver small pictures like logos:
Tip: Sysmon Will Log DNS Queries, (Sun, Jun 9th)Sun, 09 Jun 2019 12:03:06 GMT I follow Mark Russinovich on Twitter to 1) know when he updates the Sysinternals tools and 2) when he&#;x26;#;39;s working on new books (fiction and non-fiction).
News Wrap: Amazon Privacy and Telegram DDoS AttackFri, 14 Jun 2019 17:57:19 +0000 Threatpost editors Tara Seals and Lindsey O'Donnell discuss a recent lawsuit against Amazon for its privacy policies, a Telegram DDoS attack and more.
Millions of Linux Servers Under Worm Attack Via Exim FlawFri, 14 Jun 2019 14:04:30 +0000 Attackers are exploiting a Linux Exim critical flaw to execute remote commands, download crypto miners and sniff out other vulnerable servers.
Hackers Favor Weekdays for Attacks, Share Resources OftenFri, 14 Jun 2019 12:02:35 +0000 Traffic analysis sheds light on weekday habits of attackers such as the most likely day for attacks and how malicious infrastructure is shared.
Max-Severity Bug in Infusion Pump Gateway Puts Lives at RiskThu, 13 Jun 2019 18:41:32 +0000 The critical bug in a connected medical device can allow an attacker to remotely manipulate hospital pumps, either to withhold meds or dispense too much.
Microsoft Patch Tuesday, June 2019 EditionWed, 12 Jun 2019 13:26:21 +0000 Microsoft on Tuesday released updates to fix 88 security vulnerabilities in its Windows operating systems and related software. The most dangerous of these include four flaws for which there is already exploit code available. There's also a scary bug affecting all versions of Microsoft Office that can be triggered by a malicious link or attachment. And of course Adobe has its customary monthly security update for Flash Player.
LabCorp: 7.7 Million Consumers Hit in Collections Firm BreachTue, 04 Jun 2019 21:45:59 +0000 Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party -- the American Medical Collection Agency (AMCA) -- also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.Just a few days ago, the news was all about how Quest had suffered a major breach. But today's disclosure by LabCorp. suggests we are nowhere near done hearing about other companies with millions of consumers victimized because of this incident: The AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.
Report: No ‘Eternal Blue’ Exploit Found in Baltimore City RansomwareTue, 04 Jun 2019 00:16:11 +0000 For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as "Robbinhood." Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by "Eternal Blue," a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.