isc.sans.edu
Open in
urlscan Pro
45.60.103.34
Public Scan
Submitted URL: http://isc.sans.edu/
Effective URL: https://isc.sans.edu/
Submission Tags: falconsandbox
Submission: On April 22 via api from US — Scanned from DE
Effective URL: https://isc.sans.edu/
Submission Tags: falconsandbox
Submission: On April 22 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET /search.html
<form id="headerSearch" name="searchform" action="/search.html" method="get">
<input type="text" name="q" placeholder="Search...(IP, Port..)">
<input type="hidden" id="token" name="token" value="">
<input class="btn btn-primary" type="submit" name="Search" value="Search">
</form>Text Content
INTERNET STORM CENTER
Sign In Sign Up
Handler on Duty: Jan Kopriva
Threat Level: green
Last Daily Podcast (Mon, Apr 22nd): CVE Changes; CrushFTP 0-Day; GitHub Comment
Bug; YubiKey Manager Bug; PAN GlobalProtect Update
A recording of our xz-utils Webcast can be found here:
https://www.youtube.com/watch?v=HTNKS3tw3xk.
DIARIES
VIEW ALL
Published: 2024-04-17 by Rob VandenBrink
THE CVE'S THEY ARE A-CHANGING!
The downloadable format of CVE's from Miter will be changing in June 2024, so if
you are using CVE downloads to populate your scanner, SIEM or to feed a SOC
process, now would be a good time to look at that. If you are a vendor and use
these downloads to populate your own feeds or product database, if you're not
using the new format already you might be behind the eight ball!
The old format (CVE JSON 4.0) is being replaced by CVE JSON 5.0, full details
can be found here:
https://www.cve.org/Media/News/item/blog/2023/03/29/CVE-Downloads-in-JSON-5-Format
You can play with the actual files here: https://github.com/CVEProject/cvelistV5
(ps the earworm is free!)
===============
Rob VandenBrink
rob@coherentsecurity.com
Rob VandenBrink
Published: 2024-04-17 by Rob VandenBrink
A VULN IS A VULN, UNLESS THE CVE FOR IT IS AFTER FEB 12, 2024
The NVD (National Vulnerability Database) announcement page
(https://nvd.nist.gov/general/news/nvd-program-transition-announcement)
indicates a growing backlog of vulnerabilities that are causing delays in their
process.
CVE's are issued by CNA's (CVE Numbering Authorities), and the "one version of
the truth" for CVE's is at Mitre.org (the V5 list is here
https://github.com/CVEProject/cvelistV5). There are roughly 100 (and growing)
CNA's that have blocks of numbers and can issue CVEs on their own recognizance,
along with MITRE who is the "root CNA". The CVE process seems to be alive and
well (thanks for that MITRE!)
In the past NVD typically researched each CVE as it came in, and the CVE would
become a posted vulnerability, enriched with additional fields and information
(ie metadata), within hours(ish). This additional metadata makes for a MUCH
more useful reference - the vuln now contains the original CVE, vendor links,
possibly mitigations and workarounds, links to other references (CWE's for
instance), sometimes PoC's. The vulnerability entry also contains the CPE
information, which makes for a great index if you use this data in a scanner,
IPS or SIEM (or anything else for that matter). For instance, compare the
recent Palo Alto issue's CVE and NVD entries:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3400
* https://nvd.nist.gov/vuln/detail/CVE-2024-3400
This enrichment process has slowed significantly starting on Feb 12 - depending
on the CVE this process may be effectively stopped entirely. This means that if
your scanner, SIEM or SOC process needs that additional metadata, a good chunk
of the last 2 months worth of vulnerabilities essentially have not yet happened
as far as the metadata goes. You can see how this is a problem for lots of
vendors that produce scanners, firewalls, Intrustion Prevention Systems and
SIEMs - along with all of their customers (which is essentially all of us).
Feb 12 coincidentally is just ahead of the new FedRAMP requirements (Rev 5)
being released
https://www.fedramp.gov/blog/2023-05-30-rev-5-baselines-have-been-approved-and-released/.
Does this match up mean that NIST perhaps had some advance notice, and they
maybe have outsourcers that don't (yet) meet these FedRAMP requirements? Or is
NIST itself not yet in compliance with those regulations? The timing doesn't
match for dev's running behind on the CVE Format change - that's not until
June. Lots of maybes, but nobody seems to know for sure what's going on here
and why - if you have real information on this, please post in our comment
form! Enquiring minds (really) need to know!
=============== Addition ===============
One of our readers notes that the Feb 12 date corresponds closely to Kernel.org
being added as a CNA
(https://www.cve.org/Media/News/item/news/2024/02/13/kernel-org-Added-as-CNA),
with (at the time) an anticipated floodlike rate of Linux CVEs being expected
after that. If that's the case, this may just be NVD saying "stand by while we
hire some new folks and get them plugged into our process", or it could also be
"stand by while we negotiate with this new CNA about what constitutes a CVE".
If this pause is related to that CNA onboarding, hopefully we won't be standing
by too much longer ...
===============
Rob VandenBrink
rob@coherentsecurity.com
Rob VandenBrink
Published: 2024-04-17 by Xavier Mertens
MALICIOUS PDF FILE USED AS DELIVERY MECHANISM
Billions of PDF files are exchanged daily and many people trust them because
they think the file is "read-only" and contains just "a bunch of data". In the
past, badly crafted PDF files could trigger nasty vulnerabilities in PDF
viewers. All of them were affected at least once, especially Acrobat or FoxIt
readers. A PDF file can also be pretty "dynamic" and embed JavaScript scripts,
auto-open action to trigger the execution of a script (for example PowerShell on
Windows, etc), or any other type of embedded data.
Today it's slightly different: Most PDF files can be rendered and displayed
directly by the operating system or in the web browser. Most dynamic features in
PDF files do not work out of the box. Attackers had to find another way to use
these trusted documents. The PDF file format is complex and supports many
features. One of them is the "Annot" keyword which helps to link an object to a
URL by defining a "clickable" zone. Here is an example:
obj 19 0
Type: /Annot
Referencing:
<<
/F 4
/Subtype /Link
/A
<<
/S /URI
/Type /Action
/URI (hxxps://firstviewautoservice[.]com//men/Prefer Quotation.zip)
>>
/Type /Annot
/StructParent 100000
/Border [0 0 0]
/Rect [228.0958 225.9112 366.9041 265.6779]
>>
PDF files are based on "objects" used and objects are linked together to render
the document. How to interpret this piece of code? A clickable zone ("/Rect") is
defined and an annotation is created ("/Annot") to link the rectangle to a URI
("/SubType Link"). If the victim clicks on the rectangle, the application
rendering the PDF file will open the default browser and visit the provided URL.
That's what the user sees:
The defined rectangle (the clickable zone) is created on top of the "PREVIEW
FILE" button. Guess what will happen?
The link will download a ZIP archive that contains a sample of AgentTesla
communication through a C2 on Telegram:
{
"c2": [
"hxxps://api[.]telegram[.]org/bot6455833672:AAEFwznYRFbwog3UBqp13FPbH7YVb236SRI/"
],
"rule": "AgentTeslaV5",
"family": "agenttesla"
}
I wrote a quick and dirty YARA rule to detect such types of PDF documents:
rule PDF_with_annot {
meta:
description = "Detects the presence of a URL linked to a clickable object in a PDF"
author = "Xavier Mertens"
strings:
$page = "/Type /Page\n"
$annot= "/Type /Annot"
$link = "/Subtype /Link"
$action = "/Type /Action"
$uri = "/URI ("
$rect = "/Rect ["
$pdf = "%PDF-"
condition:
$pdf at 0 and #page == 1 and #annot < 3 and #link < 3 and $action and $uri and $rect
}
Malicious documents with an annotation remain simple and contain usually just
one page with a limited amount of annotations (<3). The sample that I spotted
has a low VT score (6/60
(SHA256:87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea).
Conclusion: a PDF file with a bit of social engineering remains a nice way to
deliver malicious content to a user.
[1] https://www.virustotal.com/gui/file/87455c255848e08c1e95370d6744c196a9d6ba793353312d929e43a4e2c006ea
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Xavier Mertens
PODCASTS
VIEW ALL
ISC STORMCAST FOR MONDAY, APRIL 22ND, 2024
Released: 2024-04-22 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR FRIDAY, APRIL 19TH, 2024
Released: 2024-04-19 02:00:01
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR THURSDAY, APRIL 18TH, 2024
Released: 2024-04-18 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR WEDNESDAY, APRIL 17TH, 2024
Released: 2024-04-17 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR TUESDAY, APRIL 16TH, 2024
Released: 2024-04-16 02:00:01
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR SUNDAY, APRIL 14TH, 2024
Released: 2024-04-13 19:58:48
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
ISC STORMCAST FOR FRIDAY, APRIL 12TH, 2024
Released: 2024-04-12 02:00:02
A daily summary of cyber security news from the SANS Internet Stormcenter
Listen Now
JOBS
VIEW ALL
MetLife • Cary, NC
INFRASTRUCTURE VULNERABILITY ASSESSMENT CONSULTANT
GISF, GSEC, GCED, GPEN, GXPN, GCIH, GPYC, GCLD, GCPN, or other GIAC
View Details Apply Now
Capital One • McLean, VA
ACTIVE DEFENSE ANALYST, CYBER DEFENSE
GSEC, GCIH
View Details Apply Now
City of New York / NYC Cyber Command • Brooklyn, NY
SOC THREAT ANALYST
GSOC, GCIH, GCIA, GCFA, GNFA
View Details Apply Now
CACI • Washington, DC
CLOUD ARCHITECTS AND ENGINEERS
GCIH, GPEN
View Details Apply Now
WIN Technology • Eau Claire, Wisconsin (USA)
INFORMATION SECURITY ENGINEER
GCIH, GPEN, GWAPT, GAWN, GDAT, GMON, GCED, GSIP, GCFA, GCCC, and other GIAC
View Details Apply Now
Microsoft Federal • Washington, DC
SECURITY CLOUD SOLUTION ARCHITECT - CTJ (JUNIOR/MID-LEVEL)
GPCS, GCLD, GCFE, GCFA
View Details Apply Now
Microsoft Federal • Reston, VA
SECURITY CLOUD SOLUTION ARCHITECT - CTJ (SENIOR LEVEL)
GCED, GCFA, GCIH, GICSP, OR GCIP, GPEN, GRID, GWAPT
View Details Apply Now
Liberty Utilities • US or Canada (Remote)
ANALYST III, SECURITY OPERATIONS
GSEC
View Details Apply Now
Raymond James • Canada
LEAD CYBER THREAT INTELLIGENCE
GPEN, GCFA, GDAT, GCTI
View Details Apply Now
ADP • Roseland NJ / Hybrid - remote possible
LEAD INCIDENT RESPONSE SECURITY ANALYST
GCIH GCIA GCFA GSEC GREM GCFE
View Details Apply Now
The Hershey Company • Hershey, PA or Remote
STAFF SECURITY ENGINEER
GCSA, GPCS, GDSA, GSP, GPEN, GSE,
View Details Apply Now
The Hershey Company • Hershey, PA or Remote
SENIOR SECURITY ENGINEER
GSEC, GCIH, GCIA, GCDA, GMON
View Details Apply Now
Liberty Utilities • US or Canada (Remote)
ARCHITECT, CYBERSECURITY
GSEC
View Details Apply Now
Liberty Utilities • US or Canada (Remote)
ENGINEER, CYBERSECURITY ENGINEERING (OT)
GSEC
View Details Apply Now
Liberty Utilities • US or Canada (Remote)
ANALYST II, SECURITY OPERATIONS
GSEC
View Details Apply Now
* Homepage
* Diaries
* Podcasts
* Jobs
* Data
* TCP/UDP Port Activity
* Port Trends
* SSH/Telnet Scanning Activity
* Weblogs
* Threat Feeds Activity
* Threat Feeds Map
* Useful InfoSec Links
* Presentations & Papers
* Research Papers
* API
* Tools
* DShield Sensor
* DNS Looking Glass
* Honeypot (RPi/AWS)
* InfoSec Glossary
* Contact Us
* Contact Us
* About Us
* Handlers
* About Us
Slack Channel
Mastodon
Bluesky
X
Keep yourself informed with our aggregate InfoSec news
© 2024 SANS™ Internet Storm Center Developers: We have an API for you!
* Link To Us
* About Us
* Handlers
* Privacy Policy
*
*
*
*
*