Security page 1 of 2 for 17 posts

SSL/TLS protocol settings may be specified in the primary Nginx configuration file (usually located at /etc/nginx/nginx.conf), or in your site configuration files. Look for a line beginning with ssl_protocols. For example, the following is from the default nginx.conf file from a fresh Nginx install on Ubuntu: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE You can edit this line so that only current, secure versions of SSL/TLS are included: ssl_protocols TLSv1.2 Continue Reading...

Enumerate SSL Ciphers Using nmap

A quick method to scan your network and enumerate the SSL Ciphers in use on systems is with nmap. nmap --script ssl-enum-ciphers -p 443 192.168.0.1/24 This will scan the entire 192.168.0.0 subnet for open port 443 and if found enumerate the SSL Ciphers enabled. You can also use openssl if the command is installed in Windows or Linux. openssl s_client -connect 192.168.0.1:443 -tls1_2 openssl s_client -connect 192.168.0.1:443 -tls1_1 If a response is available for the ciphers specified, Continue Reading...

Ransomware: id-3509099450_[mk.goro@aol.com].0oxr4

A new variant of Dharma seems to have hit a server; here are some of the details I've been gathering. Continue Reading...

CPU-miner Installed via Windows OS Vulnerability

I have triaged a handful of Windows servers this week that started out being ticketed as high CPU / performance issues.
Upon investigation, I have found XMR cryptocurrency miners being installed through a Windows OS Vulnerability. Continue Reading...

Fail2ban + fail2sql + Ban Hammer + PHP7

I recently revisited a project from some time ago that I found and modified the code to support PHP7 which dropped support for mysql extension in favor of mysqli. Continue Reading...

CrySiS Reborn, Not Decryptable: [stopper@india.com].wallet

Break-fix call on a CrySiS Ransomware infection.  It's actually not CrySiS, but a fork of it, which is not decryptable at this time.  CrySiS shut down its operation a month or so ago and dumped the master encryption key so victims could decrypt their files.  Not so much with this variant.
After infection, it drops a JPEG file in the user's folder C:UsersVictimINFORMATION HOoW TO DECRYYPT FILES.jpg.
It encrypts files and renames them with .[stopper@india.com].wallet

It drops a file on the desktop Continue Reading...

Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites. Enter the Darknet. A simple Google search got me a theme ZIP file pretty quickly.  Now, it was time to see what malicious happenings this thing would cause.Unpacked, here's the structure of the ZIP file. . ├── functions.php ├── home.php ├── images │   ├── arrow.png │   ├── bg-pattern.png │   Continue Reading...

CryptoLocker Database Search

I found the database dump of the CryptoLocker release from May 30, 2015 by the ransomware's author.  I decided to put it into a database and make a lame front-end for it to be queried against by either the bitcoin address or the public RSA key from the infected computer.
Hope it helps someone out there.
https://techish.net/locker/

Hi,
I am the author of the Locker ransomware and I'm very sorry about that has happened. It was never my
intention to release this.
I uploaded the database to mega.co.nz Continue Reading...

GPO to block regsvr32 AppLocker Bypass Vulnerability

A recently discovered method of bypassing AppLocker by using regsvr32.exe, poses a threat to users on Windows 7, 8/8.1, and 10 (Professional or Enterprise editions).  To work around this issue and prevent regsvr32 from accessing remote resources, you can block regsvr32.exe in the Windows Firewall.  Taking it a step further, I have added a new GPO to block this domain-wide within my company. Here are some of my notes.
Create a GPO and Edit
In Group Policy Management, I created a new GPO and named Continue Reading...

Crypto Ransomware CTB-Locker (Critroni.A)

Move over CryptoLocker, there's a newer and meaner kid on the block.
CTB-Locker, or Curve-Tor-Bitcoin Locker, makes use of the Tor ((Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.)) network to maintain anonymity, making tracing the culprits more difficult and detected infections are on the rise since June of this Continue Reading...