Detection and recovery of NSA’s covered up tracks

Part of the NSA cyber weapon framework DanderSpritz is eventlogedit, a piece of software capable of removing individual lines from Windows Event Log files. Now that this tool is leaked and public, any criminal willing to remove its traces on a hacked computer can use it. Fox-IT has looked at the software and found a … Continue reading Detection and recovery of NSA’s covered up tracks →

Further abusing the badPwdCount attribute

Researched and written by Rindert Kramer Introduction At Fox-IT, we often do internal penetration tests for our customers. One of the attacks that we perform is password spraying. In a password spraying attack the attacker tries to authenticate as one of the user accounts that is found in Active Directory using a common password. These … Continue reading Further abusing the badPwdCount attribute →

Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey

The Turkish government has been actively pursuing the prosecution of the participants of the Gülen movement in what it calls “the Fetullahist Terrorist Organization/Parallel State Structure (FETÖ/PDY)”. To this end, the Turkey’s National Intelligence Organization (Millî İstihbarat Teşkilatı or MİT in Turkish) has investigated the relation of a publicly available smart phone messaging application called … Continue reading Fox-IT debunks report on ByLock app that landed 75,000 people in jail in Turkey →

FAQ about PETYA/GOLDENEYE/PETR outbreak

Revision history: 29th of June, 2017 18:00 (UTC +2) - Update 2 (current) - Added Q11 28th of June, 2017 22:00 (UTC +2) - Update 1 - Initial FAQ Q1 Is the Petya attack still in progress? A: The initial attack vector appears to have been the accounting software M.E.Doc, for which a malicious software update … Continue reading FAQ about PETYA/GOLDENEYE/PETR outbreak →

Liveblog: Huge Petya ransomware wave

Revision history: Update 2 (current): 28th of June, 2017 22:45 (UTC +2) - Added Snort rule for detection purposes Update 1: 27th of June, 2017 18:04 (UTC +2) - Initial post A new variant of the Petya ransomware started to spread havoc within various companies around the world the 27th of June 2017 . The … Continue reading Liveblog: Huge Petya ransomware wave →

FAQ on the WanaCry ransomware outbreak

Last updated: May 16th 2017 A ransomware variant known as WanaCry/WanaCrypt0r has spread on a massive scale around the world since the 12th of May 2017. For more information about the context with regards to this WanaCry variant, see also our earlier blog. The section below outlines the frequently asked questions and corresponding answers. Q: … Continue reading FAQ on the WanaCry ransomware outbreak →

Massive outbreak of ransomware variant infects large amounts of computers around the world

Today, May 12th 2017, a ransomware variant known as WanaCry is being spread on a massive scale around the world. Once a computer is infected it will attempt to infect other machines on the same network using a recently patched vulnerability in the Windows SMB protocol. Update: We have published an FAQ to answer additional … Continue reading Massive outbreak of ransomware variant infects large amounts of computers around the world →