CIRCL (Twitter feed) @circl@mastodon.opencloud.lu

#RagnarLocker deploying an old VirtualBox and a Windows XP image (totalling more than 400 MB), then mounting the drives to encrypt the files on the host from the VM. This is *really* dirty... and pretty smart when you think about AV evasion.

Are you collecting 4624 events from your endpoints? Look for unexpected type 10 (Remote Interactive, i.e. RDP or terminal services) logins. And look for unexplained 4720 (account created) too.
https://twitter.com/campuscodi/status/1263845168802914304 …

.@SANSInstitute Whitepaper:
QUIC & The Dead: Which of the Most Common IDS/IPS Tools Can Best Identify QUIC Traffic?

https://www.sans.org/reading-room/whitepapers/detection/quic-dead-common-ids-ips-tools-identify-quic-traffic-39590 … [PDF]pic.twitter.com/PoeeXKL4tA

Added most of the @Secureworks threat actor names as synonyms to the @MISPProject galaxy today.
https://twitter.com/Secureworks/status/1263580691398197249 …

Thanks to Nils @0x3c7 and @Secureworks for the contribution. MISP threat-actor galaxy is updated, published on the website, available in core MISP and all tools using the MISP project galaxies.

https://twitter.com/0x3c7/status/1263889007374729221 …pic.twitter.com/zfP3DV6Pi0

"An exploitable authentication bypass vulnerability exists in the ESPON Web Control functionality of Epson EB-1470Ui MAIN: 98009273ESWWV107 MAIN2: 8X7325WWV303"

https://cve.circl.lu/cve/CVE-2020-6091 …

Don't underestimate the impact of DNS (@MITREcorp outage). CWE and CAPEC data cannot be updated in @cve_search currently. Thanks @wimremes for pointing this out.pic.twitter.com/kYasSNf13E

"A remote code execution vulnerability exists in Visual Studio Code when the Python extension loads workspace settings from a notebook file, aka 'Visual Studio Code Python Extension Remote Code Execution Vulnerability'."

https://cve.circl.lu/cve/CVE-2020-1192 …

#BIND users should patch their #DNS servers to fix #DoS vulnerability CVE-2020-8617
https://twitter.com/tobiklein/status/1263539568382525440 …

"Centreon before 19.04.15 allows remote attackers to execute arbitrary OS commands by placing shell metacharacters in RRDdatabase_status_path "

https://cve.circl.lu/cve/CVE-2020-13252 …

Presentations of the EU ATT&CK Workshop are now online
https://attack-community.org/event/ . 1800 participants from 75 countries listening to inspiring, practical and useful content delivered by more than 35 speakers. #EUATTACKworkshop @MITREattack @MITREengenuity @circl_lu @CERTEU

Been there, done that :)
Thanks for that nice tool (also lookyloo) !

Users of various file sharing services targeted in COVID-19 themed phishing campaign, PhishLabs reports
https://info.phishlabs.com/blog/covid-19-phishing-update-file-sharing-services-abused …pic.twitter.com/uSgZqjsMEY

"Potential remote access security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to access and modify sensitive information on the system."

https://cve.circl.lu/cve/CVE-2020-7139 …

Still lot of phishing regarding various financial services including @VisaSecurity 3DSecure. If you see any suspicious ones, don't hesitate to report it. If you are interested, our @MISPProject sharing community contains a lot of indicators, join us too.
https://twitter.com/circl_lu/status/1262657085088641024 …

"ICS Advisory (ICSA-20-140-01) Rockwell Automation EDS Subsystem"

https://cve.circl.lu/cve/CVE-2020-12034 …

https://www.us-cert.gov/ics/advisories/icsa-20-140-01 …

https://paperjam.lu/article/tentatives-phishing-depuis-deb …

How easy is to create an @MITREattack like matrix in MISP? @Iglocska did it live during the #EUATTACKworkshop - don't hesitate to contribute new ones in MISP.

https://github.com/MISP/misp-galaxy/commit/43703f1a96f50d526d6d5ea2913d054baf47c8fa …
https://twitter.com/Iglocska/status/1262762417945116673 …

After almost a year of development, we are proud to announce mquery 1.2 - a new version of our blazingly fast, self-hosted #Yara search engine. It's faster, more powerful and way prettier . If you hunt with #Yara a lot, you should definitely try it.

https://github.com/CERT-Polska/mquery/ …pic.twitter.com/wPsgz4JdLB

Be careful, there is an ongoing SMS phishing campaign targeting banks in Luxembourg. Don't hesitate to report URLs via
https://www.circl.lu/urlabuse/ pic.twitter.com/ZAfP9hUMJ7