A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)

Authors: Rich Warren of NCC Group FSAS & Yun Zheng Hu of Fox-IT, in close collaboration with Fox-IT’s RIFT. About the Research and Intelligence Fusion Team (RIFT): RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat … Continue reading A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)

Detecting random filenames using (un)supervised machine learning

Combining both n-grams and random forest models to detect malicious activity. Author: Haroen Bashir An essential part of Managed Detection and Response at Fox-IT is the Security Operations Center. This is our frontline for detecting and analyzing possible threats. Our Security Operations Center brings together the best in human and machine analysis and we continually … Continue reading Detecting random filenames using (un)supervised machine learning

Office 365: prone to security breaches?

Author: Willem Zeeman "Office 365 again?". At the Forensics and Incident Response department of Fox-IT, this is heard often.  Office 365 breach investigations are common at our department. You’ll find that this blog post actually doesn’t make a case for Office 365 being inherently insecure – rather, it discusses some of the predictability of Office … Continue reading Office 365: prone to security breaches?

Using Anomaly Detection to find malicious domains

Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of  our Security Operations Center. One of these areas is applying data science techniques to real world data in real … Continue reading Using Anomaly Detection to find malicious domains

Export corrupts Windows Event Log files

Exported .evtx files may contain corrupted data - Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged, but applications … Continue reading Export corrupts Windows Event Log files

Lessons learned from a Man-in-the-Middle attack

It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack. As a result of the multi-layered security protection, detection and response mechanisms we had in place, the incident … Continue reading Lessons learned from a Man-in-the-Middle attack

Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey

The Turkish government has been actively pursuing the prosecution of the participants of the Gülen movement in what it calls “the Fetullahist Terrorist Organization/Parallel State Structure (FETÖ/PDY)”. To this end, the Turkey’s National Intelligence Organization (Millî İstihbarat Teşkilatı or MİT in Turkish) has investigated the relation of a publicly available smart phone messaging application called … Continue reading Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey

Cryptolocker variant Torrentlocker making new victims in NL

This posting is an update to Torrentlocker blog postings of October 15 and October 21. Introduction Since past weekend, the Netherlands were hit with another spam run spreading the Cryptolocker variant known as Torrentlocker. Torrentlocker presents itself to victims as Cryptolocker in all cases, however this is a completely different malware. Fox-IT received multiple reports … Continue reading Cryptolocker variant Torrentlocker making new victims in NL