UnderAttack - Slashdot User

Submission + - OpenAI ChatGPT Actions Abused to Scan for Web Vulnerabilities (sans.edu)

Submitted by UnderAttack on Thursday August 22, 2024 @01:52PM

UnderAttack writes: A blog post at the SANS Internet Storm Center suggests that OpenAI actions are being abused to scan for WordPress vulnerabilities. Honeypot sensors are the Storm Center detected scans for URLs targeting WordPress that originated exclusively from OpenAI systems. The URLs requested all include the pattern "%%target%%", which may indicate that the scan is meant to include additional path components but the expansion of the template failed.

The scans were not only identified by the unique user agent but also by the origin IP addresses matching addresses OpenAI published as being used for OpenAI actions. OpenAI actions allow OpenAI to connect to external APIs.

Comment malware analysis (Score 5, Informative) 32

by UnderAttack on Tuesday April 04, 2023 @07:45PM (#63426376) Attached to: IRS-Authorized eFile.com Tax Return Software Caught Serving JS Malware

analysis of the malware installed:

https://isc.sans.edu/diary/Ana...

also the original article showing the infection chain:

https://isc.sans.edu/diary/Sup...

Submission + - Why is My Cat Using Baidu? And Other IoT DNS Oddities (sans.edu)

Submitted by UnderAttack on Wednesday October 26, 2022 @12:35PM

UnderAttack writes: IoT devices are often stitched together from various odd libraries and features. The SANS Internet Storm Center has a story about a cat feeder that not only appears to reach out to Baidu.com every five minutes but also uses a vulnerabile DNS library that uses repeating query ids allowing for simple spoofing not seen since the early dark years of DNS

Submission + - No-Show for RPC Exploit: A Day of Attacks against an SMB/RPC Windows Honeypot

Submitted by UnderAttack on Thursday April 28, 2022 @03:44PM

UnderAttack writes: After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, the SANS Internet Storm Center set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. But so far, while it has seen thousands of attacks against SMB a day, nothing yet for the new RPC vulnerability. Looks like all the noise was just that: Noise. But still, attackers are heavily hitting other vulnerabilities like of course still ETERNALBLUE

Submission + - Bots Still Trying to Reach Cyberbunker 2.0 Addresses 9 Months After Raid. (sans.edu)

Submitted by UnderAttack on Tuesday June 23, 2020 @04:15PM

UnderAttack writes: In September last year, German police raided what was known as "Cyberbunker 2.0", a former cold war nuclear bunker turned into a "bulletproof" hosting facility. A student of the SANS Technology Institute analyzed traffic reaching out for the former Cyberbunker's IP address space. Over two weeks, thousands of bots called "home" still looking for a command and control server. They also observed a number of phishing sites, as well as an odd ad network still directing users to the Cyberbunker's IPs. You can find the summary here.

Submission + - DNS over HTTPS: Not as private as some think? (sans.edu)

Submitted by UnderAttack on Thursday December 19, 2019 @02:44PM

UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol. But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have accessed. The Internet Storm Center is offering some data to show how this can be done.

Submission + - Large "GoldBrute" RDP Botnet Looking for Exposed Servers with Weak Passwords. (sans.edu) 1

Submitted by UnderAttack on Thursday June 06, 2019 @04:05PM

UnderAttack writes: Renato Marinho at the SANS Internet Storm Center has published an article with details regarding an RDP brute forcing botnet dipped GoldBrute, that currently scans a list of 1.5 million exposed RDP servers. Infected systems will retrieve target lists from a command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

Submission + - Huawei Executive Arrest Inspires Advance Fee Scams (sans.edu)

Submitted by UnderAttack on Monday December 10, 2018 @03:06PM

UnderAttack writes: Scammers are attempting to trick Chinese victims into sending thousands of dollars in order to secure the release of Chinese Huawei executive Meng who was arrested in Canada last week. The messages claim to originate from Ms. Meng and suggest that she found a corrupt guard who will let her go for a few thousand dollars. Of course, there will be riches for anybody who is willing to help (and more).

Comment old story (Score 3, Informative) 61

by UnderAttack on Friday September 22, 2017 @10:34PM (#55248545) Attached to: Hackers Using iCloud's Find My iPhone Feature To Remotely Lock Macs, Demand Ransom Payments

This has been happening at least since 2016.

Submission + - A Year After Mirai: DVR Torture Chamber Test Shows 2 minutes between exploits (sans.edu)

Submitted by UnderAttack on Monday August 28, 2017 @12:37PM

UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the Internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.

Submission + - Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 1

Submitted by UnderAttack on Tuesday February 14, 2017 @02:29PM

UnderAttack writes: Microsoft today announced that it had to delay its February patch Tuesday due to issues with a particular patch. This was also supposed to be the first patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates.

Comment SOAP Vulnerability added to Mirai (Score 2) 27

by UnderAttack on Monday November 28, 2016 @12:35PM (#53377733) Attached to: Deutsche Telekom Says 900,000 Fixed-Line Customers Suffer Outages

see https://isc.sans.edu/forums/di...

looks like a new SOAP vulnerability was added to Mirai. Here come a few million more mirai bots.

Submission + - The Dark Side Of Certificate Transparency (sans.edu)

Submitted by UnderAttack on Wednesday August 03, 2016 @07:40AM

UnderAttack writes: Certificate Transparency is a system promoted by companies like Google that requires certificate authorities to publish a log of all certificates issued. With certificate transparency, you can search these logs for any of the domains you own, to find unauthorized certificates. However, certificates are not only used for public sites. And with all certificates being published, some include host names that are not meant to be publicly known. An update of the standard is in the works to allow entities to obfuscate the host name, but until then, certificate transparency logs are a good recognizance source.

Submission + - Netatmo Weather Station Sends WPA Password To Manufacturer (sans.edu)

Submitted by UnderAttack on Thursday February 12, 2015 @02:26PM

UnderAttack writes: The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesn't bother with encryption, but sends all data, not just the password, in the clear.

Comment Practical certs like GIAC help and hold value (Score 3, Informative) 317

by UnderAttack on Monday December 08, 2014 @09:25PM (#48552131) Attached to: Ask Slashdot: Are Any Certifications Worth Going For?

If you are serious about infosec certifications, check out GIAC (http://www.giac.org) . The certs are very applied and test practical knowledge (e.g. they are open book... no need to test how well you can memorize stuff). CISSP is good to get you started in the field.

Slashdot Top Deals