How to become cyber resilient quickly and remain in full control

Running Cyber Security Operations is crucial but difficult Successful and effective cyber security is not only about tools, but (increasingly) about the processes and people to operate those tools effectively. While organizations used to buy security tools and believed this would be sufficient, they increasingly realize that running the actual Cyber Security Operations (CSO) with … Continue reading How to become cyber resilient quickly and remain in full control →

Large malvertising campaign targeting the Netherlands

At the Fox-IT SOC we see malvertising incidents on a daily basis, as blogged on before. Sadly malvertising has become a usual occurence, but the events we've been observing since Thursday the 11th of June stood out. An active malvertising campaign propagating via 2 major advertisement networks is targeting visitors only coming from the Netherlands, using the Angler … Continue reading Large malvertising campaign targeting the Netherlands →

Deep dive into QUANTUM INSERT

Summary and recommendations QUANTUMINSERT (QI) is actually a relatively old technique. In order to exploit it, you will need a monitoring capabilities to leak information of observed TCP sessions and a host that can send spoofed packets. Your spoofed packet also needs to arrive faster than the original packet to be able to be successful. Any … Continue reading Deep dive into QUANTUM INSERT →

Liveblog: Malvertising from Google advertisements via possibly compromised reseller

We are currently observing a large scale malvertising campaign originating from all the Google advertisement services resold from engagelab.com. It appears as if if all of engagelab.com its advertisement & zone ID's are currently redirecting to a domain, which in its turn is redirecting to the Nuclear Exploit Kit, indicating a possible compromise at this reseller … Continue reading Liveblog: Malvertising from Google advertisements via possibly compromised reseller →

CryptoPHP a week later: more than 23.000 sites affected

On November 20th we published our report on CryptoPHP. Since publishing we have, together with other parties, been busy dealing with the affected servers and taking down the CryptoPHP infrastructure. Sinkhole statistics With the help of the NCSC, Abuse.ch, Shadowserver and Spamhaus we have been able to gather data about the scale of the operation … Continue reading CryptoPHP a week later: more than 23.000 sites affected →

CryptoPHP: Analysis of a hidden threat inside popular content management systems

Update: We've published statistics on CryptoPHP and some advice: CryptoPHP a week later: more than 23.000 sites affected CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay … Continue reading CryptoPHP: Analysis of a hidden threat inside popular content management systems →

Cryptolocker variant Torrentlocker making new victims in NL

This posting is an update to Torrentlocker blog postings of October 15 and October 21. Introduction Since past weekend, the Netherlands were hit with another spam run spreading the Cryptolocker variant known as Torrentlocker. Torrentlocker presents itself to victims as Cryptolocker in all cases, however this is a completely different malware. Fox-IT received multiple reports … Continue reading Cryptolocker variant Torrentlocker making new victims in NL →

Update on the Torrentlocker ransomware

This posting is an update to the Torrentlocker blog posting of October 15. For guidance on containment and recovery, see the previous blog post. Financial aspects Payments for the ransom have to be done in Bitcoins. We have identified 7 Bitcoin addresses that received ransom payments. The total income as of the 21th of October … Continue reading Update on the Torrentlocker ransomware →

New Torrentlocker variant active in the Netherlands

Introduction The Netherlands was hit with a new spam run designed to spread a cryptolocker variant known as torrentlocker from Monday October 13th 2014 onwards. Please note that torrentlocker appears to present itself to victims as cryptolocker in all cases. Fox-IT now receives multiple reports of new victims in the Netherlands and we are currently … Continue reading New Torrentlocker variant active in the Netherlands →

Live blog on SSLv3 protocol vulnerability ‘POODLE’

Google has announced the discovery of a protocol vulnerability in SSLv3. This vulnerability allows an attacker to read contents of connections secured by SSLv3. SSLv3 is a Secure Sockets Layer (SSL) protocol that has been ratified in 1996. SSL is used to encrypt communications between clients and servers. It is usually integrated with webservers, mailservers or … Continue reading Live blog on SSLv3 protocol vulnerability ‘POODLE’ →