Information Security Archives

SEIMs and Other Forensic Tools Vulnerable to Log4j Exploits

January 3, 2022December 23, 2021 by Sean Whalen

The Auopsy, Ghidra, Graylog, Log4j, and Splunk logos

This article was last updated on 2022-01-03.

After several Log4j vulnerabilities (known as Log4shell or LogJam in the tech press) were publicly exposed, IT teams around the globe have been rushing to patch all of their applications against the flaws. Log4j is an very popular open source software library for implementing logging in Java applications. The first discovered flaw, tracked as CVE-2021-44228, allows logged data to include remote lookup that would then download and execute arbitrary code from a remote server, which is known as a Remote Code Execution (RCE) vulnerability. Many security tools such as Splunk, Graylog, Autopsy, and Ghidra use Log4j to generate usage and diagnostic logs.

Tools commonly used by information security professionals to investigate breaches could be leveraged to cause a security breach.

How to Install Volatility 2 and Volatility 3 on Debian, Ubuntu, or Kali Linux

October 6, 2021 by Sean Whalen

A close-up photo of sticks of computer memory/RAM

Volatility is a powerful memory forensics tool. This guide will show you how to install Volatility 2 and Volatility 3 on Debian and Debian-based Linux distributions, such as Ubuntu and Kali Linux.

How to use Farsight Security’s DNSDB to harness the power of passive DNS

May 23, 2021May 22, 2021 by Sean Whalen

DNS describes the structure of resources on the internet. It can provide lots of valuable information about (attacker or target) infrastructure. However, in order to query DNS records, you must already know the exact domains or subdomains to query. When examining unknown infrastructure, this is not practical. On top of that, DNS records can change often, so historical information is lost. Passive DNS databases help solve both of these problems. Farsight Security DNSDB is the largest passive DNS database in the world. With DNSDB, you can answer questions like “How has this network infrastructure changed over time?”, “What other domains and subdomain point (or have pointed to) this IP address?”, “What are the subdomains and resource records for this domain?”

An introduction to DNS

May 17, 2021May 15, 2021 by Sean Whalen

The Domain Name System (DNS) is best known as the way domain names are converted into IP addresses that clients connect to, but there are many other uses for DNS. Read on to learn more.

How to examine a credential harvesting page using Microsoft Edge

May 23, 2021May 10, 2021 by Sean Whalen

A screenshot of a credential harvesting login page loaded in Microsoft Edge

Recently I analyzed a credential harvesting page with some interesting characteristics that made a great teaching moment. In this post, I’ll go over how I used the developer tools built into Microsoft Edge to examine the credential harvesting page.

How to forward a forensic copy of an email as an attachment

January 19, 2022August 28, 2019 by Sean Whalen

If you receive a fraudulent email, can be very useful to send a full forensic copy to an organization that is being spoofed, industry partners, and law enforcement.

When a user clicks forward in a mail client, the client copies the message’s content and attachments to a new message. The original message headers are not included.

In order to send a full forensic sample that includes the original message headers, the original message must be sent as an attachment in a new message. The process for doing this varies by mail client.

How to view email headers

January 19, 2022August 27, 2019 by Sean Whalen

Email headers contain very useful information for tracing a message’s origin and troubleshooting its delivery. Email headers are written with the oldest headers at the bottom, and the newest headers at the top. By reading the headers in the correct order, you can see how the message was passed from one mail server to another, and the actions each mail server took along the way.

Most email clients have a function to display a message’s headers. The exact steps depends on the client.

Proofpoint is forcing their customers to pay for Email Fraud Defense to get aggregate DMARC data from their own gateways

May 23, 2021June 4, 2019 by Sean Whalen

A redacted screenshot of the Proofpoint Email Fraud Defense dashboard

I have written extensively about the DMARC email security standard, including publishing a comprehensive guide on how to implement it, with or without additional third party vendors. I also do a little consulting on DMARC deployment best practices. One of those consulting clients uses Proofpoint for their email gateway. They also use Dmarcian, a reasonably priced DMARC report analytics service that also publishes a ton of public content for the good of the community. We were considering moving the client’s DMARC policy from monitor only (p=none) to an enforced state (p=reject) after many hours of steadily improving the SPF and DKIM alignment of their email sources. As I took another look at the aggregate (rua) DMARC data in Dmarcian, I noticed something odd: Dmarcian was getting aggregate reports from all of the expected third party email recipients, like Google, Yahoo, Comcast, and the client’s industry partners, but I didn’t see any reporting from the client’s own Proofpoint gateways.

Emotet malspam campaign exploits reliance on magic for file type detection

March 1, 2019January 26, 2019 by Sean Whalen

A screenshot of a VirusTotal results page showing a detection rate of 10/58 for a Emotet dropper document

Emotet is a Trojan designed to steal banking information. It is frequently spread by sending phishing emails to governments, banks, healthcare organizations, and schools. The phishing emails will often claim to be an invoice, with a malicious Microsoft Word document attached. The email may often appear to be from a trusted supplier. Once the attachment or link is opened, the target is prompted to click “Enable content”, which would allow the dropper to install Emotet.

Screenshot of a Emotet dropper document open in Microsoft Word 2016. — The document clams that the user must click “enable content” to view it, but doing so would actually install malware

I recently encountered two Emotet dropper samples (0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 and eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c) that would not run correctly in my malware sandbox. I soon found the cause of the problem: the file type had been detected as a generic XML file, rather than what it really is: a Microsoft Word document.