This page contains all published blog posts.
- From ERMAC to Hook: Investigating the technical differences between two Android malware variants
- Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
- From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager
- Threat spotlight: Hydra
- CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
- One Year Since Log4Shell: Lessons Learned for the next ‘code red’
- I’m in your hypervisor, collecting your evidence
- Sharkbot is back in Google Play
- Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
- Flubot: the evolution of a notorious Android Banking Malware
- Adventures in the land of BumbleBee
- SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
- log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
- Log4Shell: Reconnaissance and post exploitation network detection
- Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
- Tracking a P2P network related to TA505
- TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
- Reverse engineering and decrypting CyberArk vault credential files
- SnapMC skips ransomware, steals data
- RM3 – Curiosities of the wildest banking malware
- Abusing cloud services to fly under the radar
- TA505: A Brief History Of Their Time
- Decrypting OpenSSH sessions for fun and profit
- StreamDivert: Relaying (specific) network connections
- Machine learning from idea to reality: a PowerShell case study
- A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)
- WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
- In-depth analysis of the new Team9 malware family
- LDAPFragger: Command and Control over LDAP attributes
- Hunting for beacons
- Detecting random filenames using (un)supervised machine learning
- Office 365: prone to security breaches?
- Using Anomaly Detection to find malicious domains
- Syncing yourself to Global Administrator in Azure Active Directory
- Export corrupts Windows Event Log files
- Getting in the Zone: dumping Active Directory DNS using adidnsdump
- mkYARA – Writing YARA rules for the lazy analyst
- PsiXBot: The Evolution Of A Modular .NET Bot
- Identifying Cobalt Strike team servers in the wild
- Your trust, our signature
- Phishing – Ask and ye shall receive
- Bokbot: The (re)birth of a banker
- Introducing Team Foundation Server decryption tool
- Introducing Orchestrator decryption tool
- Escalating privileges with ACLs in Active Directory
- Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities
- mitm6 – compromising IPv4 networks via IPv6
- Lessons learned from a Man-in-the-Middle attack
- Criminals in a festive mood
- Detection and recovery of NSA’s covered up tracks
- Further abusing the badPwdCount attribute
- Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey
- FAQ about PETYA/GOLDENEYE/PETR outbreak
- Liveblog: Huge Petya ransomware wave
- Massive outbreak of ransomware variant infects large amounts of computers around the world
- Relaying credentials everywhere with ntlmrelayx
- Snake: Coming soon in Mac OS X flavour
- A Mole exposing itself to sunlight
- Turkish hacktivists targeting the Netherlands: high noise, low impact
- Detecting Ticketbleed (CVE-2016-9244)
- Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot
- Ziggo ransomware phishing campaign still increasing in size
- Mofang: A politically motivated information stealing adversary
- LinkedIn information used to spread banking malware in the Netherlands
- Ransomware deployments after brute force RDP attack
- Large malvertising campaign hits popular Dutch websites
- Website of security certification provider spreading ransomware
- Financial Crisis Exercise at RSA 2016
- RSA 2016: A Long Road Ahead for Security
- RSA 2016: security heeft nog een lange weg te gaan
- Ponmocup – A giant hiding in the shadows
- The state of Ransomware in 2015
- How a research project at Fox-IT enhances your security career
- Finding the hidden attacker in your network
- Do you have a clue?
- How to become cyber resilient quickly and remain in full control
- Large malvertising campaign targeting the Netherlands
- Deep dive into QUANTUM INSERT
- Liveblog: Malvertising from Google advertisements via possibly compromised reseller
- CryptoPHP a week later: more than 23.000 sites affected
- CryptoPHP: Analysis of a hidden threat inside popular content management systems
- Cryptolocker variant Torrentlocker making new victims in NL
- Update on the Torrentlocker ransomware
- New Torrentlocker variant active in the Netherlands
- Live blog on SSLv3 protocol vulnerability ‘POODLE’
- Update on DecryptCryptoLocker
- Malvertising: Not all Java from java.com is legitimate
- CryptoLocker ransomware intelligence report
- OpenSSL ‘heartbleed’ bug live blog
- Building Bowser – A password cracking story
- Tilon/SpyEye2 intelligence report
- Malicious advertisements served via Yahoo
- Not quite the average exploit kit: Zuponcic
- Large botnet cause of recent Tor network overload
- DNS takeover redirects thousands of websites to malware
- Analysis of malicious advertisements on telegraaf.nl
- Analysis of the KINS malware
- Geïnfecteerde advertenties op nu.nl
- Security advisory: Unencrypted storage of confidential information in Keeper® Password & Data Vault v5.3 for iOS
- Seen in the wild: Updated Exploit Kits
- Writeup on nbc.com distributing Citadel malware
- Oracle getting serious about Java
- Demystifying Pobelka
- Cyber Security in Nederland op de agenda!
- Fox-IT discovers security bugs in Oracle Software
- Mogen we terugslaan?
- Observations on the recent Java 0-day exploits in the wild
- XDocCrypt/Dorifel – Document encrypting and network spreading virus
- How to find malicious communication leaving your network
- MIME Sniffing: feature or vulnerability?
- Critical analysis of Microsoft Operation B71
- Post mortem report on the sinowal/nu.nl incident
- RSA-512 Certificates abused in the wild
- Onze visie op de eigen slagkracht van de overheid
- Presentatie Fox-IT op Infosecurity NL 2011
- Over het CDA en het bestraffen van gebruik van crypto
- DPI: Laten we het doen zoals in Chili!
- Forbes: Bert Hubert explains the DNS issue with China