Threat Update – Ukraine & Russia war

Last updated on 2022-03-17/ 8am CET 2022-02-25: added key historical operation: Cyclops Blink2022-03-02: added note on spillover and recommendation2022-03-03: added further information on attacks, updated recommendations2022-03-07: added info on HermeticRansom decrypter and our mission statement2022-03-15: added info on CaddyWiper and fake AV update phishing campaign used to drop Cobalt Strike2022-03-17: added info on the removal … Continue reading Threat Update – Ukraine & Russia war

Credential harvesting and automated validation: a case study

During our incident response engagements, we very frequently come across phishing lures set up to harvest as many credentials as possible, which will likely be sold afterwards or used in follow-up attacks against an organization (or both). While many of these credential harvesting attacks follow the same pattern, from time to time we stumble upon … Continue reading Credential harvesting and automated validation: a case study

Who is watching your home surveillance systems?

This morning, I heard on the radio that dozens of Belgian families were being watched through their own home surveillance system in Belgium. Nothing new here, as we already know for years that sites exist through which you can watch camera footage of unknowing victims, and this problem is not just limited to Belgium of … Continue reading Who is watching your home surveillance systems?

A word from our interns Aras, Gaetan and Wouter!

During the first half of 2017 we had the pleasure of working with three bright interns assisting us on various projects ranging from developing an interactive training platform to creating challenges for the Cyber Security Challenge to working on improving our own IT environment. We asked them to let us know what they thought of … Continue reading A word from our interns Aras, Gaetan and Wouter!

Critical Samba vulnerability CVE-2017-7494 – Impact on Belgium

The Samba Team disclosed vulnerability CVE-2017-7494: Remote code execution from a writable share. HD Moore reported that the vulnerability is simple to exploit: on an open, writable SMB share, a shared library has to be uploaded which can then be easily executed on that server. The Samba Team has released patches and new versions (the vulnerability … Continue reading Critical Samba vulnerability CVE-2017-7494 – Impact on Belgium

Let’s get the team together…

It was the last week of April: our entire NVISO team had packed their bags and was ready to board a plane. Where to? A secret location, to celebrate the achievements of our fantastic team ! Destination: unknown... From the very beginning, it became clear that the discovery of our destination was a fun team-building event by … Continue reading Let’s get the team together…

Tracking threat actors through .LNK files

In the blog post .LNK downloader and bitsadmin.exe in malicious Office document we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in … Continue reading Tracking threat actors through .LNK files

.LNK downloader and bitsadmin.exe in malicious Office document

We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK file which in its turn uses the Microsoft Background Intelligent Transfer Service (BITS) to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate … Continue reading .LNK downloader and bitsadmin.exe in malicious Office document