Archive

This page contains all published blog posts.

• From ERMAC to Hook: Investigating the technical differences between two Android malware variants
• Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
• From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager
• Threat spotlight: Hydra
• CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
• One Year Since Log4Shell: Lessons Learned for the next ‘code red’
• I’m in your hypervisor, collecting your evidence
• Sharkbot is back in Google Play
• Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study 
• Flubot: the evolution of a notorious Android Banking Malware
• Adventures in the land of BumbleBee
• SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
• log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
• Log4Shell: Reconnaissance and post exploitation network detection
• Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
• Tracking a P2P network related to TA505
• TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
• Reverse engineering and decrypting CyberArk vault credential files
• SnapMC skips ransomware, steals data
• RM3 – Curiosities of the wildest banking malware
• Abusing cloud services to fly under the radar
• TA505: A Brief History Of Their Time
• Decrypting OpenSSH sessions for fun and profit
• StreamDivert: Relaying (specific) network connections
• Machine learning from idea to reality: a PowerShell case study
• A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)
• WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
• In-depth analysis of the new Team9 malware family
• LDAPFragger: Command and Control over LDAP attributes
• Hunting for beacons
• Detecting random filenames using (un)supervised machine learning
• Office 365: prone to security breaches?
• Using Anomaly Detection to find malicious domains
• Syncing yourself to Global Administrator in Azure Active Directory
• Export corrupts Windows Event Log files
• Getting in the Zone: dumping Active Directory DNS using adidnsdump
• mkYARA – Writing YARA rules for the lazy analyst
• PsiXBot: The Evolution Of A Modular .NET Bot
• Identifying Cobalt Strike team servers in the wild
• Your trust, our signature
• Phishing – Ask and ye shall receive
• Bokbot: The (re)birth of a banker
• Introducing Team Foundation Server decryption tool
• Introducing Orchestrator decryption tool
• Escalating privileges with ACLs in Active Directory
• Compromising Citrix ShareFile on-premise via 7 chained vulnerabilities
• mitm6 – compromising IPv4 networks via IPv6
• Lessons learned from a Man-in-the-Middle attack
• Criminals in a festive mood
• Detection and recovery of NSA’s covered up tracks
• Further abusing the badPwdCount attribute
• Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey
• FAQ about PETYA/GOLDENEYE/PETR outbreak
• Liveblog: Huge Petya ransomware wave
• Massive outbreak of ransomware variant infects large amounts of computers around the world
• Relaying credentials everywhere with ntlmrelayx
• Snake: Coming soon in Mac OS X flavour
• A Mole exposing itself to sunlight
• Turkish hacktivists targeting the Netherlands: high noise, low impact
• Detecting Ticketbleed (CVE-2016-9244)
• Recent vulnerability in Eir D1000 Router used to spread updated version of Mirai DDoS bot
• Ziggo ransomware phishing campaign still increasing in size
• Mofang: A politically motivated information stealing adversary
• LinkedIn information used to spread banking malware in the Netherlands
• Ransomware deployments after brute force RDP attack
• Large malvertising campaign hits popular Dutch websites
• Website of security certification provider spreading ransomware
• Financial Crisis Exercise at RSA 2016
• RSA 2016: A Long Road Ahead for Security
• RSA 2016: security heeft nog een lange weg te gaan
• Ponmocup – A giant hiding in the shadows
• The state of Ransomware in 2015
• How a research project at Fox-IT enhances your security career
• Finding the hidden attacker in your network
• Do you have a clue?
• How to become cyber resilient quickly and remain in full control
• Large malvertising campaign targeting the Netherlands
• Deep dive into QUANTUM INSERT
• Liveblog: Malvertising from Google advertisements via possibly compromised reseller
• CryptoPHP a week later: more than 23.000 sites affected
• CryptoPHP: Analysis of a hidden threat inside popular content management systems
• Cryptolocker variant Torrentlocker making new victims in NL
• Update on the Torrentlocker ransomware
• New Torrentlocker variant active in the Netherlands
• Live blog on SSLv3 protocol vulnerability ‘POODLE’
• Update on DecryptCryptoLocker
• Malvertising: Not all Java from java.com is legitimate
• CryptoLocker ransomware intelligence report
• OpenSSL ‘heartbleed’ bug live blog
• Building Bowser – A password cracking story
• Tilon/SpyEye2 intelligence report
• Malicious advertisements served via Yahoo
• Not quite the average exploit kit: Zuponcic
• Large botnet cause of recent Tor network overload
• DNS takeover redirects thousands of websites to malware
• Analysis of malicious advertisements on telegraaf.nl
• Analysis of the KINS malware
• Geïnfecteerde advertenties op nu.nl
• Security advisory: Unencrypted storage of confidential information in Keeper® Password & Data Vault v5.3 for iOS
• Seen in the wild: Updated Exploit Kits
• Writeup on nbc.com distributing Citadel malware
• Oracle getting serious about Java
• Demystifying Pobelka
• Cyber Security in Nederland op de agenda!
• Fox-IT discovers security bugs in Oracle Software
• Mogen we terugslaan?
• Observations on the recent Java 0-day exploits in the wild
• XDocCrypt/Dorifel – Document encrypting and network spreading virus
• How to find malicious communication leaving your network
• MIME Sniffing: feature or vulnerability?
• Critical analysis of Microsoft Operation B71
• Post mortem report on the sinowal/nu.nl incident
• RSA-512 Certificates abused in the wild
• Onze visie op de eigen slagkracht van de overheid
• Presentatie Fox-IT op Infosecurity NL 2011
• Over het CDA en het bestraffen van gebruik van crypto
• DPI: Laten we het doen zoals in Chili!
• Forbes: Bert Hubert explains the DNS issue with China