KRACKing WPA2

A new vulnerability in the WPA2 protocol was discovered by Mathy Vanhoef (researcher at KU Leuven) and published yesterday. The vulnerability - dubbed  "KRACK" - enables an attacker to intercept WPA2 encrypted network traffic between a client device (e.g. mobile or laptop) and a router. Depending on the network configuration it is even possible for an attacker to alter or … Continue reading KRACKing WPA2

YARA DDE rules: DDE Command Execution observed in-the-wild

The MS Office DDE YARA rules that we published yesterday detected several malicious documents samples since 10/10/2017. Remark: the malicious samples we mention were detected with our DDEAUTO rule (Office_DDEAUTO_field); as we feared, the second rule (Office_DDE_field) is generating some false positives and we will update it. The first sample uses PowerShell to download an executable and run … Continue reading YARA DDE rules: DDE Command Execution observed in-the-wild

Detecting DDE in MS Office documents

Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents. We wrote 2 YARA rules to detect this in Office Open XML files (like .docx): … Continue reading Detecting DDE in MS Office documents

Active exploitation of Struts vulnerability S2-052 CVE-2017-9805

Yesterday night (06 September 2017 UTC) we observed active exploitation of Struts vulnerability S2-052 CVE-2017-9805 (announced a day earlier). Here is the request we observed: The POST request to /struts2-rest-showcase/orders/3 allowed us initially to detect this attempt. The packet capture shows that this is a full exploit attempt for reconnaissance purposes: the payload is a … Continue reading Active exploitation of Struts vulnerability S2-052 CVE-2017-9805

Decoding malware via simple statistical analysis

Intro Analyzing malware often requires code reverse engineering which can scare people away from malware analysis. Executables are often encoded to avoid detection. For example, many malicious Word documents have an embedded executable payload that is base64 encoded (or some other encoding). To understand the encoding, and be able to decode the payload for further … Continue reading Decoding malware via simple statistical analysis

Don’t be lazy with P4ssw0rd$

Three challenges to making passwords user-friendly Following the interview of Bill Burr, author of NIST’s 2003 paper on Electronic Authentication, in which he announced that he regrets much of what he wrote, we stop and think. Why was the standard putting users at risk? Paraphrasing History: “Tout pour le peuple; rien par le peuple”. Perfectly … Continue reading Don’t be lazy with P4ssw0rd$

Who is watching your home surveillance systems?

This morning, I heard on the radio that dozens of Belgian families were being watched through their own home surveillance system in Belgium. Nothing new here, as we already know for years that sites exist through which you can watch camera footage of unknowing victims, and this problem is not just limited to Belgium of … Continue reading Who is watching your home surveillance systems?

Recovering custom hashes for the Petya/Notpetya malware

During our malware analysis, we often come across samples that contain (custom) hashes in stead of cleartext. Hashing is done in an effort to bypass detection and hinder malware analysts. There are tools to recover cleartext from known hashing methods (like John the Ripper and hashcat). But for custom hashing methods, you'll have to write … Continue reading Recovering custom hashes for the Petya/Notpetya malware