Relaying credentials everywhere with ntlmrelayx

Insecurities in NTLM Authentication have been known about for over 15 years. The protocol can be abused to hijack a victim’s session through a process called “relaying”, which abuses a victim’s credentials by forwarding them to a different service than intended. NTLM authentication is still supported and enabled by default in many cases, even though it has been replaced as default authentication method by the more secure Kerberos. In this blog we will demonstrate relaying credentials to LDAP, IMAP and MSSQL with Ntlmrelayx, a Fox-IT extension to the well-known smbrelayx tool.

Snake: Coming soon in Mac OS X flavour

Summary Snake, also known as Turla, Uroburos and Agent.BTZ, is a relatively complex malware framework used for targeted attacks1. Over the past year Fox-IT has been involved in multiple incident response cases where the Snake framework was used to steal sensitive information. Targets include government institutions, military and large corporates. Researchers who have previously analyzed … Continue reading Snake: Coming soon in Mac OS X flavour

A Mole exposing itself to sunlight

With the daily growth of the different kinds of ransomware and distribution techniques, Fox-IT's Security Operations Center was investigating a new ransomware called Mole. This ransomware is currently being spread by a social engineering exploit kit to trick the user in downloading a malicious executable. The ransomware author of Mole made a small mistake, which … Continue reading A Mole exposing itself to sunlight

Turkish hacktivists targeting the Netherlands: high noise, low impact

As a result of increased political tensions between The Netherlands and Turkey, a surge in activity from several Turkish hacker groups has been observed by Fox-IT. Most activities observed thus far appear to be aimed at defacement and disruption of online Dutch infrastructure. Most of the methods and techniques used to achieve this goal are … Continue reading Turkish hacktivists targeting the Netherlands: high noise, low impact

Detecting Ticketbleed (CVE-2016-9244)

On Thursday February 9th the vulnerability named ’Ticketbleed’ was made public. The name of this vulnerability does not just sound similar to Heartbleed, but also shares the same implication: remote reading of uninitialized memory. At the time we published Snort IDS detection rules for the Heartbleed vulnerability in OpenSSL, and have now decided to do … Continue reading Detecting Ticketbleed (CVE-2016-9244)

Malvertising: Not all Java from java.com is legitimate

Isn't it ironic getting a Java exploit via java.com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this. This blog post details a relatively new trend: real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware.   Conclusion Malvertising has changed over the years starting … Continue reading Malvertising: Not all Java from java.com is legitimate

Not quite the average exploit kit: Zuponcic

A couple of weeks ago at the FOX-IT SOC, we noticed Zuponcic attempting to infect one of our clients protected networks. The incident was caused by a person visiting the website of Suriname's Ministry of Finance, minfin.sr. This post connects three recent developments in the realm of malware infections: .htaccess server compromise, the Zuponcic exploit … Continue reading Not quite the average exploit kit: Zuponcic

DNS takeover redirects thousands of websites to malware

Starting on Mon, 5 august 2013, 06:57:30 Fox-IT's monitoring service detected a redirect occurring initially on conrad.nl but later on many other websites. The way the site was compromised means thousands of websites are redirecting, in total 3 web hosters seem to have been affected by the DNS server compromise: Digitalus VDX Webstekker All sites … Continue reading DNS takeover redirects thousands of websites to malware

XDocCrypt/Dorifel – Document encrypting and network spreading virus

Another day, another malware, and today it was an unknown Delphi application which encrypts your office documents on your non-root and non-CD/DVD drives and prepends it with a copy of itself, turning a document into an executable. Great, everybody loves these kinds of things as your entire IT dependant organization will grind to a complete halt … Continue reading XDocCrypt/Dorifel – Document encrypting and network spreading virus