CIRCL

CIRCL Team Members

2025-07-14T14:23:58Z

Team Members

CIRCL team is composed of competent people, dedicated to their mission of improving security for the benefit of Luxembourg and the companies located on the territory.

A file containing all the PGP keys listed on this page is also available.

Operational Core Team

Name	PGP Fingerprint	Matrix
Cedric Bonhomme	55F5 D60E EFCA 3591 0089 18E7 A1CB 94DE 57B7 A70D	@cedric:matrix.circl.lu
Xavier Claude	0BF0 0868 B612 51BD D223 74F1 7185 831A 9C04 F715	@claudex:matrix.circl.lu
David Cruciani	A7C82 7090 996D CB96F C2AF2 D869 0CDE1 E399 4B9B	@dacruciani:matrix.circl.lu
Alexandre Dulaunoy	3B12 DCC2 82FA 2931 2F5B 709A 09E2 CD49 44E6 CBCD	@adulau:matrix.circl.lu
Michael Hamm	917D 0B62 1E88 BEC1 9081 792B F723 3773 DB0F 8DBD	@michael:matrix.circl.lu
Andras Iklody	C0B2 39A5 D5D7 76A8 C2FE 322F BEA2 24F1 FEF1 13AC	@andras:matrix.circl.lu
Quentin Jérôme	C0F6 E8F2 C1AB 2799 A31F 416C 0548 A778 D21D 10AD	@quentin:matrix.circl.lu
Paul Jung	3202 40F9 B345 6CE4 616E DC8C F93A 0908 1A50 DC5A	@thanat0s:matrix.circl.lu
Sami Mokaddem	F6D9 8155 94D1 2C13 84B4 4D1F 164C 473F 627A 06FA	@sami:matrix.circl.lu
Luciano Righetti	3E2D 042B B38C 5169 34A4 2CDA FB1B AC9A EC8A 387B	@luciano:matrix.circl.lu
Sascha Rommelfangen	85F1 E6D6 7988 03C6 5446 3133 89F7 60A9 A572 F306	@rommelfs:matrix.circl.lu
Deborah Servili	CE50 734F DD43 E982 3864 157D 7E3A 8328 50D4 D7D1	@deb:matrix.circl.lu
Christian Studer	64ED D89D 9F0D 1AC4 309C A94B 6BBE D1B6 3A6D 639F	@chris:matrix.circl.lu
Aurélien Thirion	0001 ED96 0248 6C26 D551 8351 1E1B 1F50 D846 13D0	@aurelien:matrix.circl.lu
Gerard Wagener	41EC EDCE 3394 E3CE 3A18 98E3 D0EB 697E D81F 0490	@gerard:matrix.circl.lu

Business and Legal Support Team

Name	PGP Fingerprint
Rita Bressanutti	53FD AEB3 E4AA 286A 819C 9B24 052F FBC7 912A 19C9
Margot Hartman	DACE 9456 1FE5 3164 8805 9812 5EBD 1A69 EDDB 2252
Pascal Steichen	D1DF 00E4 A9BD 1649 8A89 F62F 32C9 485E 0549 E7E1

Anonymous Incident Report Form

0001-01-01T00:00:00Z

This web-enabled form is accessible via TLS/SSL to report computer security incidents, security vulnerabilities or any inquiries related to incident handling.

Before submitting an incident, you should read the guideline for incident reporting.

If the incident includes phishing or similar attacks relying on email, we advice to include full headers of the email as described in TR-07 - HOWTO find SMTP headers in common Email clients.

Please mention any contact information in your message if you wish to be contacted. If you wish to remain anonymous, don't put any personally identifiable information.

Botfree.lu - Luxembourg anti-botnet support - ACDC Luxembourg support center

0001-01-01T00:00:00Z

Botfree.lu - Luxembourg anti-botnet support - ACDC Luxembourg support center

Infected systems are often part of a botnet which can be controlled remotely by attackers to perform criminal activities like attacking other computers, sending malicious emails or performing denial-of-service attack.

My PC is infected and I am looking for support

If you have a strong suspicion that your machine is infected and you are looking for support to re-install the system, you can check the PC-doctor list to find an SME to support you.

I received a malicious or suspicious link

Phishing links can tested without risk and reported via the CIRCL urlabuse interface.

I have a security incident in my company

If you have a security incident in your company, you can report it to CIRCL.

I found illegal content on the Internet, what should I do?

The BEE SECURE Stopline project aims to provide a structure enabling illegal Internet content to be reported anonymously and to deal with these reports in collaboration with the relevant national and international authorities.

Where can I find more documentation about security?

You can find additional information about specific topics like account hijacking and stolen mobile devices in The Digital First Aid Kit. You can find additional information on the BEESECURE website, NC3 or LHC.

I have a different information security incident, not matching any of the above categories. Whom can I contact?

You can report it to CIRCL.

About the European Advanced Cyber Defense Center project

Botfree.lu is an initiative from CIRCL, BEE SECURE and LHC gie as a part of the support centers of the European Advanced Cyber Defense Center (ACDC-project) on the basis of the antibotnet activities of the German ISP’s association ECO.

CIRCL - Contact

0001-01-01T00:00:00Z

Postal address

Important: An appointment is required for every meeting in our offices.

  CIRCL - Computer Incident Response Center Luxembourg
  c/o "Luxembourg House of Cybersecurity" g.i.e.
  122, rue Adolphe Fischer
  L-1521 Luxembourg
  Grand-Duchy of Luxembourg

Telephone

  (+352) 247 88444

E-mail (ticketing system)

info@circl.lu

GPG fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5

CIRCL Situational Awareness

0001-01-01T00:00:00Z

Introduction

In order to protect infrastructure, applying preventive measures, taking appropriate security decisions and/or security measurements are critical aspects.

Are specific threats or risks a reality?
Based on the security measures, what should an organisation focus on or prioritize on?

CIRCLs goal is to gather objective and repeatable metrics to support the decision process in security at large. As CIRCL operates various tools (such as honeypots, black-hole monitoring, information sharing tools or active monitoring tools), we provide an automated overview of the collected information and their potential support to make a decision. This page is automatically updated to provide a basic situational awareness overview based on measured information. Topic will regularly follow new sources of information which can be measured efficiently.

Topic: IoT security

IoT security is an often mentioned topic, but it remains very challenging for an organisation to perceive the real risk associated with IoT devices. The metrics below show the persistence of adversaries against specific vulnerable IoT devices, showing their dedication and regular activities targeting devices.

Recommendations: Filtering (before connecting) IoT devices is a MUST following the persistence of attackers to reach vulnerable equipments; Reviewing equipments and devices which can be considered as IoT and ensure software updates

Observed abuse using UDP packets with shell escaped payload

URL lifetime in shell escaped payload

{:height=“80%” width=“80%”} PDF version

URL activity in shell escaped payload

{:height=“80%” width=“80%”} PDF version

Topic: Human errors

Human errors are often difficult to measure. In the case of our honeypot network, CIRCL collects misconfigured DNS queries leaking to honeypots. The DNS queries shown a business day pattern which demonstrates the misconfiguration aspect of the DNS in corporate environments.

Recommendations: Ensure correctness of your DNS configuration; Disable recursive DNS queries for internal systems

DNS queries (A) received by honeypot

{:height=“80%” width=“80%”} PDF version

Classification of this document

TLP:CLEAR information may be distributed without restrictions. The document and the Open Data mentioned are licensed under an international CC-BY 4.0.

The document including graphics and diagrams can be freely reused following the international CC-BY 4.0.

References

Revision

Version 1.0 September 13th, 2018 Initial version TLP:CLEAR.

Mission Statement

0001-01-01T00:00:00Z

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents.

CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg.

CIRCL provides a reliable and trusted point of contact for any users, companies and organizations based in Luxembourg, for the handling of attacks and incidents. Its team of experts acts like a fire brigade, with the ability to react promptly and efficiently whenever threats are suspected, detected or incidents occur.

CIRCL’s aim is to gather, review, report and respond to cyber threats in a systematic and prompt manner.

CIRCL is operated by Luxembourg House of Cybersecurity g.i.e, which is also the host organization for the NC3 - National Cybersecurity Competence Center.

Our mission is to:

provide a systematic response facility to ICT-incidents
coordinate communication among national and international incident response teams during security emergencies and to help prevent future incidents
support ICT users in Luxembourg to recover quickly and efficiently from security incidents
minimize ICT incident-based losses, theft of information and disruption of services at a national level
gather information related to incident handling and security threats to better prepare future incidents management and provide optimized protection for systems and data
provide a security related alert and warning system for ICT users in Luxembourg
foster knowledge and awareness exchange in ICT security

RFC2350

For more details, please take a look at our RFC2350 document.

Accreditations

CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg.

CIRCL is an accredited CERT of TF-CSIRT Trusted Introducer.

CIRCL is also a full member of FIRST (Forum of Incident Response and Security Teams).

CIRCL is RIPE member and LU-CIX member.

News

0001-01-01T00:00:00Z

Cybersecurity Unites Across Borders - FETTA Project Launched to Strengthen EU Cyber Threat Intelligence - 31st January 2024
CIRCL hash lookup is a public API to lookup hash values against known database of files new service available - 7th July 2021
TR-58 - CVE-2020-0796 - Critical vulnerability in Microsoft SMBv3 - status and mitigation published - 11th March 2020
MISP training materials updated to the latest version - 26th September 2019
circl-phishing-dataset-01 is a dataset of 400+ pictures of verified or potential phishing websites screenshots. circl-ail-dataset-01 is a dataset of 37000+ pictures of dark-web’s websites screenshots. - 10th July 2019
Digital Forensic - Training Materials Updated included new materials for Windows forensic - 23rd May 2019
Operational statistics published 2014-2018 - 14th January 2019
TR-55 - SquashFu - an alternate Open Source Backup solution, resilient to Crypto Ransomware attacks published (for review) - 12th September 2018
CIRCL operational statistics published and updated including half of 2018 - 17th August 2018
TR-54 - Sextortion scam emails - I know your password published - 3rd August 2018
Summer hackathon - Open Source Security Hackathon - Improving and integrating CERT/CSIRT tools is now open for registration - 10th July 2018
CIRCL operational statistics are now published including open data - 4th January 2018
TR-50 - WPA2 handshake traffic can be manipulated to induce nonce and session key reuse published - 16 October 2017
CIRCL now publishes operational statistics along with its opendata program - 12 October 2017
TR-49 - CVE-2017-7494 - A critical vulnerability in Samba - remote code execution from a writable share published - 26 May 2017
TR-41 - Updated recommendations because of new critical threat (ransomware “WannaCry”) - 13 May 2017
TR-38 - Attaques visant les solutions bancaires d’entreprise - Recommandations updated - 9 May 2017
TR-38 - Attacks targeting enterprise banking solutions - recommendations and remediations updated - 9 May 2017
New MISP training in Luxembourg will take place on Mon, March 20, 2017 registration and Wed, April 5, 2017 in Nantes (France) registration - 27th February 2017
TR-47 - Recommendations regarding Abuse handling for ISPs and registrars - 23rd February 2017
New MISP training in Luxembourg will take place on Tue, February 7, 2017 registration - 22nd December 2016
TR-46 - Information Leaks Affecting Luxembourg and Recommendations - 5th October 2016
MSc Student Internship Position Published - 30th September 2016
Mass-malware handling in a National CERT @ SCSConference - 14th September 2016
MISP - Information sharing for the financial sector - 27th May 2016
TR-45 - Data recovery techniques published - 12th May 2016
MISP - Malware Information Sharing Platform & Threat Sharing - Training Materials released - 24th March 2016
TR-44 - Information security - laws and specific rulings in the Grand Duchy of Luxembourg published - 15th March 2016
Information Sharing and Cyber Security - The Benefits of the Malware Information Sharing Platform (MISP) - 18th February 2016
CIRCL training catalogue 2016 published - 15th February 2016
MISP training in Luxembourg on March 22, 2016 - 11th January 2016
TR-43 - Installing MPSS 3.6.1 to use a Intel Xeon Phi Coprocessor on Ubuntu Trusty 14.04 LTS published - 11th January 2016
New MSc and PhD internships at CIRCL including AIL and Crawling-Analysis Extensions - 4th January 2016
TR-42 - CVE-2015-7755 - CVE-2015-7756 - Critical vulnerabilities in Juniper ScreenOS - 21st December 2015
TR-41 - Crypto Ransomware - Défenses proactives et de réponse sur incident - 1st December 2015
TR-41 - Crypto Ransomware - Proactive defenses and incident response - 1st December 2015
The first international Malware Information & Threat Sharing Platform Summit - 2nd October 2015
BGP Ranking used as key evaluation reference in an international academic paper - 28th September 2015
TR-40 - Allaple worm activity in 2015 and long-term persistence of worm (malware) in Local Area Networks - Friday 25th September 2015
Passive SSL - API version 2 available with new functionalities - Thursday 27th August 2015
Various fixes and updated to the CIRCL Common Vulnerabilities and Exposures search API - Monday 27th July 2015
4 security advisories published - Wednesday 1st July 2015
Meet CIRCL at FIRST Annual Conference in Berlin - Friday 11th June 2015
TR-38 - Attaques visant les solutions bancaires d’entreprise - Recommandations - Thursday 28th May 2015
CIRCLean version 1.3 including critical security fix - Thursday 28th May 2015
Phishing-Initiative Luxembourg inauguré pendant l’ICTSpring 2015 - Friday 22nd May 2015
TR-38 - Attacks targeting enterprise banking solutions - recommendations and remediations - Monday 18th May 2015
TR-37 - VENOM / CVE-2015-3456 - Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation - Thursday 14th May 2015
Improving WordPress security with TR-36 Example setup of WordPress with static export - Tuesday 28th April 2015
Luxembourg National Anti-Botnet Support Center joins the European Advanced Cyber Defence Centre - Thursday 26th March 2015
cve.circl.lu new version released with a new public API - Monday 23rd March 2015
CIRCLean 1.2 released - USB key sanitizer - Tuesday 11th March 2015
CIRCL releases the source code of its URL Abuse software - Thursday 5th March 2015
TR-33 - Analysis - CTB-Locker / Critroni - Tuesday 17th February 2015
TR-32 - key-value store and NoSQL security recommendations - Tuesday 10th February 2015
A new wave of crypto ransomware targeting Luxembourg - Thursday 5th February 2015
TR-31 - GHOST / CVE-2015-0235 - glibc vulnerability - gethostbyname - Thursday 29th January 2015
CIRCL Responsible Vulnerability Disclosure process is publicly available - Thursday 29th January 2015
TR-08 CIRCL automatic launch object detection for Mac OS X software updated including the fix for OS X Yosemite - Friday 23rd January 2015
TR-30 - Acquisition Support Tools for Local Incident Response Team (LIRT) published - Tuesday 20th January 2015
New CIRCL Passive SSL services available - Friday 9th January 2015
TR-29 - NTP (Network Time Protocol) daemon - ntpd - critical vulnerabilities published - Monday December 22nd 2014
The Inception Framework - Cloud-Hosted Targeted Malware Framework - Monday December 15th 2014
Hack.lu - 10 years of success and 2015 edition announced - Thursday November 27th 2014
Sharing Threat Indicators and Security Ranking, an opportunity for the Internet Community - Tuesday November 18th 2014
Two new Python libraries published to access CIRCL services: PyMISP and Passive DNS Python Library - Monday November 10th 2014
A new version of CIRCLean, the USB key sanitizer including major bug fixes - Tuesday October 28th 2014
TR-28 - SSLv3 vulnerability and how to disable SSLv3 - CVE-2014-3566 - Wednesday October 15th 2014
A new version of CIRCLean, the USB key sanitizer, released including NTFS support and security fixes - Tuesday October 1st 2014
TR-27 - GNU Bash Critical Vulnerability - CVE-2014-6271 - CVE-2014-7169 published - Wednesday September 24th 2014
CIRCL warns about spear phishing scams targeting corporate executives and their accounting department - Monday September 15th 2014
New scholarships and internships positions at CIRCL published - Thursday August 28th 2014
First version of Analysis Information Leak framework released - Wednesday August 7th 2014
TR-25 - Analysis of Turla/Pfinet/Snake/Uroburos/Pfinet published - Thursday July 10th 2014
TR-14 - Analysis of a stage 3 Miniduke malware sample updated to include the loader diagram due to the F-Secure report CosmicDuke: Cosmu With a Twist of MiniDuke
Workshop Invitation: Discover the CIRCLean – a USB key sanitizer to avoid malware infections - Tuesday July 8th 2014 (4 PM-6PM) at the Technoport Belval
Data Feeds of Common Vulnerabilities and Exposures (CVE) with Luxembourgian Ranking - Thu June 19 2014
CIRCL becomes member of the international Forum of Incident Response and Security Teams (FIRST) and will be at the FIRST annual conference in Boston - Mon June 16 2014
TR-22 Recommendations for Readiness to Handle Computer Security Incidents includes a set of practical recommendations on how to gather technical evidences (memory, filesystem or network) - Fri June 6 2014
TR-24 Analysis - Destory RAT family published including a comparison with all known malware family members (PlugX, Gulpix, Korplug, Destory, Thoper, Sogu, TVT) - Tue June 3 2014
Malware Information Sharing Platform (MISP) - Thu May 22 2014
A new version of CIRCLean USB key sanitizer released. A hardware device to clean documents from untrusted USB sticks - Wed May 21 2014
Information Sharing Cornerstone in Incident Detection and Handling at DBIR Paris - Thu May 15 2014
Presentation about Darknet and blackhole monitoring at Honeynet project in Warsaw PDF - Mon May 12 2014
CIRCL published TR-23 Analysis - NetWiredRC malware - Thu Apr 24 2014
CIRCL takes part in the 2014 Data Breach Investigation Report - Wed Apr 23 2014
Critical vulnerability in OpenSSL 1.0.1 through 1.0.1f (inclusive) or 1.0.2-beta TLS heartbeat read overrun (CVE-2014-0160) leaking memory (e.g. secret keys).
Dynamic Malware Analysis Platform info page published - Mon Apr 7 2014
Panopticon - A System for a Network of Trusted Proxy Servers project is now open to CERTs and incident handlers - Mon Apr 7 2014
IP to ASN Mapping Service with History is now publicly accessible - Wed Apr 2 2014
In the light of the data protection day, CIRCL gave a talk “An Overview of Security Incidents Targeting Citizen How the Attackers Are Deceiving Us?” at the European Parliament - Tue Mar 25 2014
Port evolution: a software to find the shady IP profiles in Netflow published - Tue Feb 18 2014
A large scale abuse of CPE equipments from AVM (FRITZ!Box) vulnerable to a remote authentication bypass was disclosed on February 2014. The “Control Management Interface” recommendation described in CIRCL technical report TR-18 would have limited the impact of this attack.
Passive DNS - Common Output Format presentation given at the TF-CSIRT conference in Zurich - Thu Feb 13 2014
CIRCL Training And Technical Courses Catalogue 2014 published - Wed Jan 29 2014
UDP Protocols Security - Recommendations To Avoid or Limit DDoS amplification - Thu Jan 23 2014
Analysis of a PlugX malware variant updated with a loader to ease analysis - Fri Jan 17 2014
PBX and VoIP Security - Recommendations published - Mon Dec 16 2013
Open internship positions in 2014 published - Mon Dec 16 2013
Java.Tomdep (Apache Tomcat Malware) - Information, Detection and Recommendation published - Fri Nov 22 2013
CIRCLean (USB cleaner) new version of the image released - Thu Oct 17 2013
HoneyBot Services - Client Data Collection - Mon Oct 14 2013
Hand of Thief/Hanthie Linux Malware - Detection and Remediation published - Wed Aug 28 2013
Malware Information Sharing Platform or How to Share Efficiently IOCs Within a Country - Fri Jul 26 2013
CIRCLean a hardware and software solution to clean malicious documents from unknown USB drives released (BETA) - Fri Jul 26 2013
Malware analysis report of a stage 3 Miniduke malware sample publicly published - Thu May 30 2013
Malware analysis report of a Backdoor.Snifula variant publicly published - Wed May 29 2013
A real-time map of the attacks targeting Luxembourg is now published - Tue Apr 23 2013
Updated version of CIRCL automatic launch object detection for Mac OS X released - Wed Apr 10 2013
Analysis of a PlugX malware variant used for targeted attacks - Fri Mar 29 2013
Security Flaws in Universal Plug and Play (UPnP) - Disable UPnP - Wed Jan 30 2013
Another Perspective to IP-Darkspace Analysis - presented at TF-CSIRT/FIRST 2013 - Tue Jan 29 2013
How to detect Red October / Sputnik malware published - Wed Jan 16 2013
Malware/Ransomware Discovery and potential Removal (Windows 7) published - Thu Nov 02 2012
CIRCL Q4 2010-2011 trend report released - Wed Aug 29 2012
Updated version of CIRCL automatic launch object detection for Mac OS X released - Fri Apr 27 2012
CIRCL automatic launch object detection for Mac OS X released - Fri Apr 20 2012
incident handling guidelines added - Tue Mar 20 2012
dns-ok.lu to check if you are infected with the DNS Changer malware - Wed Feb 29 2012
TR-06 - DigiNotar incident and general SSL/TLS security consequences - Wed Sep 7 2011
SSL/TLS Security of Servers in Luxembourg - Mon Aug 22 2011
CIRCL is on Twitter - Fri May 13 2011
CIRCL technical report about the security of iOS based devices: CIRCL-TR_2011-01_iOSi - Tue Feb 8 2011

Press release

All of the press content release by CIRCL.

RSS

CIRCL RSS Feed

Open Data at CIRCL

0001-01-01T00:00:00Z

Open Data at CIRCL

CIRCL advocates data sharing and knows that sharing Open Data can lead to new research, analyses, software or services that could improve security on the long-term. We also hope that the data shared can be used for any usage including commercial or non-commercial security services within Luxembourg and abroad.

Open Data Definition

“Open data and content can be freely used, modified, and shared by anyone for any purpose” as defined by opendefinition.org.

Open Data Available at CIRCL

CVE and vulnerability information daily JSON dump

A daily JSON dump of all the CVE (Common Vulnerabilities and Exposures) along other vulnerability information is published on https://vulnerability.circl.lu/. There different files dumped by source of vulnerability:

https://vulnerability.circl.lu/dumps/

BGP Ranking data dump per AS number

BGP Ranking is a public service developed and operated by CIRCL starting from 2012 until today with the ranking of malicious activities seen per BGP AS number (e.g. ISP, Hosting companies). The historical data can be queried using the following format:

curl -X POST -d '{"asn": "5577", "date": 2019-11-11}' https://bgpranking-ng.circl.lu/json/asn

Note: it is possible to query historical information for the last ~12 months.

And if you want to see the data on the web interface: https://bgpranking-ng.circl.lu/asn?asn=5577.

Allaple malware infection statistics (raw data)

Allaple worm is a malware family still infecting multiple systems on the Internet. The statistics collected from our honeypot are available for the year 2015 at the following location:

Raw statistics of infection for Allaple worm

Classification datasets

More information about each dataset is available on their dedicated page.

circl-phishing-dataset-01 is a dataset of 400+ pictures of verified or potential phishing websites screenshots.

circl-ail-dataset-01 is a dataset of 37000+ pictures of dark-web’s websites screenshots. The final dataset will be composed of 37000+ images, the dataset is enlarged as it is classified, with part of 4000 pictures each.

Papers about Image Matching

We proposed in preprint some papers relative to Image Matching. One for the datasets, one for their classification tool, one about a framework to evaluate literature algorithms and one about the developed library which bundles relevant algorithms.

OpenData publication : arxiv.org/1908.02449
VisJS-Classificator tool : arxiv.org/1908.02941
Carl-Hauser framework : arxiv.org/1908.03449
Douglas-Quaid library: arxiv.org/1908.04014

CIRCL operational statistics

The operational statistics cover the activities related to the incident response activities of CIRCL especially in regards to the reporting (e.g. incident reports, request for analysis or support during computer security incident) and notifications (e.g. take-down notification, notification about vulnerability) from/to third parties.

Academic researchers who used our Open Data

Ralph Holz , Johanna Amann , Olivier Mehani , Matthias Wachs , Mohamed Ali Kaafar. “TLS in the wild: an Internet-wide analysis of TLS-based protocols for electronic communication”. download
Konte, Maria, Roberto Perdisci, and Nick Feamster. “ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes.” Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication. ACM, 2015. download
Wagner, Christoph, et al. “ASMATRA: Ranking ASs providing transit service to malware hosters.” Integrated Network Management (IM 2013), 2013 IFIP/IEEE International Symposium on. IEEE, 2013. download
Ghafir, Ibrahim, and Václav Přenosil. “ADVANCED PERSISTENT THREAT AND SPEAR PHISHING EMAILS.” DISTANCE LEARNING, SIMULATION AND COMMUNICATION 2015 (2015): 34. download
Ghafir, Ibrahim, and Vaclav Prenosil. “Malicious File Hash Detection and Drive-by Download Attacks.” Proceedings of the Second International Conference on Computer and Communication Technologies. Springer India, 2016. download
Vykopal, Jan. Flow-based Brute-force Attack Detection in Large and High-speed Networks. Diss. PhD thesis, Masaryk University, Brno, Czech Republic, 2013. download

If you used our data for your research, feel free to contact us if you want to be listed.

Classification of this document

TLP:CLEAR information may be distributed without restrictions. The document and the Open Data mentioned are licensed under an international CC-BY 4.0.

Revision

Version 1.3 October 12th, 2017 Operational Statistics of CIRCL added
Version 1.2 March 15th, 2016 New academics papers added TLP:CLEAR.
Version 1.1 December 10th, 2015 CVE JSON dump added TLP:CLEAR.
Version 1.0 October 27th, 2015 Initial version TLP:CLEAR.

Privacy notice

0001-01-01T00:00:00Z

Privacy notice

Last update: 20180504 - version 1.0 - This Privacy notice is licensed under a Creative Common Attribution 4.0 International (CC BY 4.0) license.

About this privacy notice

Your privacy is very important to us and it is our view that we, CIRCL (hereafter referred to as “we”), have an exemplary role in protecting it. Therefore, this Privacy Notice is created to inform you, the user of our website (hereafter referred to as “you”), about our data processing activities and your rights as a data subject.

We collect and process your personal data in accordance with the applicable data protection legislations such as, but not limited to, Regulation (EU) 2016/679 on the protection of natural persons with regards to the processing of their personal data and the free movement of such data (“GDPR”) and the national law adopting GDPR.

It may occur that we change or amend our Privacy Notice in order to ensure that its content accurately reflects regulatory developments. Any such modification, if substantial, will be clearly communicated to you, either via the website or via other appropriate means. The latest applicable version will be available on our website.

This privacy notice tends to avoid legal jargon which is less accessible.

Should you have any questions or remarks regarding this Privacy Notice, do not hesitate to contact us.

Processing of personal data

By “personal data” we understand any information that can identify you, both directly and indirectly.

By “processing” we refer to anything we do with such personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

By “data controller” we understand the person responsible for the processing of your personal data, this is the entity which determines the means and purpose of the processing activities. For our website and all related services, the data controller is:

CIRCL - Computer Incident Response Center Luxembourg
c/o Luxembourg House of Cybersecurity g.i.e.
122, rue Adolphe Fischer
L-1521 Luxembourg
Grand-Duchy of Luxembourg
Tel: (+352) 247 88444
Email: info@circl.lu

What personal data do we collect on our website and to which end?

We collect and process your personal data in order to offer our services and provide you, the user, with a safe and comfortable experience when visiting our website. The following paragraphs provide a detailed indication of the personal data we collect and for which specified purposes.

When you are surfing our website, we collect and process web server logs, including IP addresses, user-agents, URLs, date and time logs. We collect those logs for our legitimate interest as these logs enable the technical and functional management of our website. Furthermore, we analyse the data to ensure optimal security of our website.

When you report an incident via the CIRCL report form, we process the reporter’s contact information and any other details of the reported incident (e.g. phishing email headers). We will use these details, if provided, for further case management and to facilitate our ticket system. In that case, we collect personal data for the public interest, to help our constituency handle security incidents (e.g. help with compromised websites).

When you use the URL abuse service, we process the source IP address of the submitter and the submitted URL.

Your public PGP key, should you choose to upload it, is collected and stored on our OpenPGP key server. We use your public PGP key to promote the use of encryption at large, for example in emails and for the Malware Information Sharing and Threat Intelligence Sharing Platform (MISP).

We confirm that we process your personal data in a fair and lawful manner and only for the explicit and legitimate purposes as above-mentioned. At all times, we strive to ensure that your personal data is adequate, relevant and not excessive in relation to the purposes for which they are processed.

Does our website use cookies?

No, our website does not use any cookies or analytic components.

How long do we retain your personal data?

In no circumstances, we keep your personal data for a longer period than strictly necessary to fulfil the purpose for which it was collected.

As the retention period is dependent on the purpose for which the personal data were initially collected, the purpose is the criterion that is used to determine the appropriate retention period.

After expiry of the retention period, we strive to securely erase, destroy or anonymize personal data that is no longer required in relation to the purpose for which they were collected.

Your personal data is only processed for internal purposes within CIRCL. We formally confirm that we will not sell, rent or otherwise commercially transfer to or share with a third party the personal data we are collected from our website. However we do share the public PGP key you uploaded in the PGP network, so your public key will be publicly available on our network.

Contact details of the reporter of an incident and all other information related to the incident will not be shared without the reporter’s consent, except if they are required in the scope of a legal investigation. For more information about sharing personal data in the scope of vulnerability disclosure, please refer to CIRCL’s responsible vulnerability disclosure statement and the “Confidentiality” section of CIRCL’s guide to report and incident.

CIRCL actively participates to Open Data initiatives in scope to better understand threats and security at large. Information shared in Open Data are pseudo-anonymized, reduced and aggregated in order to limit risk of potential information leak. Nevertheless, if any potential leak is discovered, please contact us.

As our web server is hosted and managed in Luxembourg, your personal data is in no circumstances transferred to third countries outside the EU.

Security of your personal data

We are striving to keep your personal data secure. To that end, we have adopted the appropriate legal, organizational and technical precautions to prevent any unauthorised access and use of your personal data. These measures include, but are not limited to the encryption of all traffic between our website and your browser.

Nevertheless, please note that perfect security is very difficult to reach.

Is any potential leak that you have discovered, please report it to CIRCL.

As a matter of transparency and consistency, CIRCL publishes information about leaks discovered in TR-46 - Information Leaks Affecting Luxembourg and Recommendations including any potential leak which could target CIRCL as is.

Your rights as a data subject

At CIRCL we aim to be transparent, not only about how we process personal data about you, but also about your rights that are linked to such processing. Therefore, we want to remind you of the existence of the following rights:

Right to request access to the personal data we hold about you;
Right to rectification or erasure of such data; and
Right to obtain restriction of processing or to object to such processing.

You can exercise these rights by contacting us through contact. In order to avoid unlawful access to your personal data, we will request you to provide a proof of your identity.

If you have any queries about this Privacy Notice or experiencing any other privacy issue, we are striving to promptly dealing with any privacy-related complaints. If you have a complaint related to the processing of your personal data by CIRCL, including a data breach, please contact us.

If you have questions regarding the way your request relating to personal data protection has been dealt with, please do not hesitate to contact us.

We are kindly open to work with you on this topic.

Projects and Software Developed by CIRCL

0001-01-01T00:00:00Z

CIRCL explores new engineering solutions to improve CSIRT operations and to predict and better react on current and future threats.

Projects

CIRCL leads or co-leads various open source projects which include the development, design, support and future of these projects. If you want to partner with us on a specific project, don’t hesitate to contact us.

Other Projects

Early Detection Network

CIRCL HoneyBot services consist of the distributed operation and exploitation of CIRCL HoneyBots. These services are part of a research project with the aim to improve security on Internet. A CIRCL HoneyBot is a low-interaction honeypot running on an embedded device, that is deployed in the premises of CIRCL partners. The HoneyBot listens to unused IP addresses specified by the partner. The HoneyBot sensor located in an unused network space of the partner (from one IP address to multiple IP addresses). The unused network space has no production network traffic and the traffic reaching such network space can be called background noise. This background noise contains malicious opportunistic attacks along with other traffic like backscatter traffic due to DDoS or misconfigurations.

potiron is a front-end software deployed for our partners to access their HoneyBot data. The software is developed and maintained by CIRCL and an access is given to the partners of the HoneyBot services.

CIRCLean - USB key sanitizer

This project aims to be used by people regularly receiving USB keys from untrusted sources. While they don’t know if the files are malicious, they are still interested to see the content of the files, without having to open the original and potentially malicious files.

For more information, CIRCLean, the USB key sanitizer including software and hardware requirements.

Panopticon - A System for a Network of Trusted Proxy Servers

Panopticon is a server application which acts as a stack of proxy servers from which the user can quickly select different exit points (parent proxies). Trusted partners are welcome to use this service as long as they can collaborate by adding a proxy on their side.

AIL framework - Framework for Analysis of Information Leaks

AIL framework is a modular framework to analyse potential information leak from unstructured data source like pastes from Pastebin or similar services. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.

Free Software

CIRCL regularly contributes to free software and open source software and with a special interest in software used to improve cybersecurity. Feel free to visit CIRCL github account.

BGP Ranking

BGP Ranking is a free software to calculate the security ranking of Internet Service Provider (ASN).

CIRCL operates the main public instance of BGP Ranking. In complement, the BGP Ranking software back-end is available as free software. BGP Ranking API free software are also available like the whois-like bgpranking-API, Python API to access BGP Ranking - doc or even the BGP Ranking visualisation using Hilbert map.

pcapdj

pcapdj is a pcap file dispatcher for processing very large set of pcap files. A use case with Suricata NIDS is included.

urlquery Python API

urlquery_python_api is a Python API to access urlquery service.

cve-search

cve-search is a free software to import CVE (Common Vulnerabilities and Exposures) and CPE (Common Platform Enumeration) in a local database for indexing, searching and processing locally vulnerability information.

lnf-tools

lnf-tools is a set of Perl, Python libraries and C code to analyze and process large set of Netflow records.

VirusTotal-tools

vt-tools set of tools to interact with the services from VirusTotal.

traceroute-circl

traceroute-circl is an extended traceroute software to support the activities of CSIRT operators.

CSIRT teams often have to handle incidents based on IP addresses received, this is where traceroute-circl tries to improve the tedious task of abuse determination and collection.

IP-ASN-history

We developed a service, freely accessible to the whole community, to look up IP addresses announcements in the past. The software back-end of IP-ASN-history is available.

Student jobs and internships

In addition to the projects listed here, CIRCL is also offering scholarships/internships for students. Please have a look at the site Internships page.

Publications and Presentations

0001-01-01T00:00:00Z

Publications

Description	Last update
TR-98 - Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340) - Active Exploitation	9 February 2026
TR-97 - Supply Chain Compromise Propagating Through the npm Ecosystem (Shai-Hulud)	28 November 2025
TR-96 - Multiple Vulnerabilities in F5 Devices and Products - Impact and Mitigation	15 October 2025
TR-95 - Critical vulnerability - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. CVE-2025-53770 - CVE-2025-53771	20 July 2025
TR-94 - Ongoing Phishing Campaigns Targeting Microsoft 365 Tenants Lacking Multi-Factor Authentication	22 May 2025
TR-93 - Financial transaction fraud after system compromise via Remote Management and Monitoring tools	26 February 2025
TR-93 (de) - Finanzbetrug nach Systemkompromittierung über Remote-Management- und Monitoring-Tools	26 February 2025
TR-93 (fr) - Fraude financière après compromission du système via des outils de gestion et de surveillance à distance	26 February 2025
TR-92 - Unused Domain Names and the Risks of Missing DNS SPF Records	22 January 2025
TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software	20 December 2024
TR-90 - Vulnerability identified as CVE-2023-34990, affecting Fortinet FortiWLM	20 December 2024
TR-89 - Guidelines for Notifying CSIRT/CERT of Red Teaming and Penetration Testing Exercises	12 November 2024
TR-88 - Motivation, procedure and rational for leaked credential notifications	30 August 2024
Learning from the Recent Windows/Falcon Sensor Outage: Causes and Potential Improvement Strategies in Linux Using Open Source Solutions	23rd July 2024
TR-87 - CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor	19th July 2024
TR-86 - Check Point VPN Information Disclosure (CVE-2024-24919) - Actively Exploited	31st May 2024
TR-85 - Three vulnerabilities in Cisco ASA software/applicance and FTD software being exploited	25th April 2024
TR-84 - PAN-OS (Palo Alto Networks) OS Command Injection Vulnerability in GlobalProtect Gateway - CVE-2024-3400	12th April 2024
TR-83 - Linux Boot Hardening HOWTO	3rd April 2024
TR-82 - backdoor discovered in xz-utils - CVE-2024-3094	30th March 2024
TR-81 - Critical FortiOS vulnerabilities in sslvpnd and fgfmd	9 February 2024
TR-80 - Targeted SMS and fake phone center call targeting financial/banking services	7 February 2024
TR-79 - AnyDesk Incident and Potential Associated Supply Chain Attack	5 February 2024
TR-78 - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways	11 January 2024
TR-77 - Spear phishing and voice call scams targeting corporate executives and their accounting department	30 August 2023
TR-76 - Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS	14 August 2023
TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519	21 July 2023
TR-74 - A heap-based buffer overflow vulnerability (CWE-122) in FortiOS - CVE-2023-27997	5 July 2023
TR-73 - Ransomware FAQ	7 March 2023
TR-72 - Vulnerable Microsoft Exchange server metrics leading to alarming situation	21 February 2023
TR-71 - FortiOS - heap-based buffer overflow in sslvpnd (exploited) - FortiOS SSL-VPN - CVE-2022-42475	13 December 2022
TR-70 - Vulnerabilities in Microsoft Exchange CVE-2022-41040 - CVE-2022-41082	30 September 2022
TR-69 - How to choose an ICT supplier from a security perspective	13 June 2022
TR-68 - Best practices in times of tense geopolitical situations	28 February 2022
TR-67 - local privilege escalation vulnerability in polkit’s pkexec utility	26 January 2022
TR-66 - Webservers with mod_status like debug modules publicly available leak information	15 December 2021
TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j)	10 December 2021
TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders	10 November 2021
TR-63 - Vulnerabilities and Exploitation of Pulse Connect Secure	21 April 2021
TR-62 - Leak of Facebook Data from 533 Million Users	6 April 2021
TR-61 - Critical vulnerabilities in Microsoft Exchange	12 March 2021
TR-60 - Phishing - Effects and precautions	26 June 2020
TR-59 - Remote Work - In times of a crisis	18 March 2020
TR-58 - CVE-2020-0796 - Critical vulnerability in Microsoft SMBv3 - status and mitigation	11 March 2020
TR-57 - Ransomware - Effects and precautions	10 December 2019
TR-56 - HTTP Strict Transport Security	19 March 2019
TR-55 - SquashFu - an alternate Open Source Backup solution, resilient to Crypto Ransomware attacks	12 September 2018
TR-54 - Sextortion scam emails - I know your password	3 August 2018
TR-53 - Statement about WHOIS and GDPR	12 April 2018
TR-52 - Forensic Analysis of an HID Attack	5 February 2018
TR-51 - How to react to fraudulent acts of third party invoicing or requesting funds without showing any purchase order	23 November 2017
TR-50 - WPA2 handshake traffic can be manipulated to induce nonce and session key reuse	16 October 2017
TR-49 - CVE-2017-7494 - A critical vulnerability in Samba - remote code execution from a writable share	26 May 2017
TR-48 - Cyber-Threats Indicators Sharing, security-related actionable information and future of Personal Data Protection framework in the EU - MISP and GDPR	6 March 2017
TR-47 - Recommendations regarding Abuse handling for ISPs and registrars	23 February 2017
TR-46 - Information Leaks Affecting Luxembourg and Recommendations	17 February 2017
TR-45 - Data recovery techniques	12 May 2016
TR-44 - Information security - laws and specific rulings in the Grand Duchy of Luxembourg	15 March 2016
TR-43 - Installing MPSS 3.6.1 to use a Intel Xeon Phi Coprocessor on Ubuntu Trusty 14.04 LTS	11 January 2016
TR-42 - CVE-2015-7755 - CVE-2015-7756 - Critical vulnerabilities in Juniper ScreenOS	21 December 2015
TR-41 (de) - Crypto Ransomware - Vorsichtsmaßnahmen und Verhalten im Infektionsfall	19 May 2016
TR-41 (fr) - Crypto Ransomware - Défenses proactives et de réponse sur incident	19 May 2016
TR-41 - Crypto Ransomware - Proactive defenses and incident response	13 May 2017
TR-40 - Allaple worm activity in 2015 and long-term persistence of worm (malware) in Local Area Networks	24 September 2015
TR-39 - CIRCL-SOPs Standard Operational Procedures	30 July 2015
TR-38 - Attacks targeting enterprise banking solutions - recommendations and remediations	9 May 2017
TR-37 - VENOM / CVE-2015-3456 - Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation	14 May 2015
TR-36 - Example setup of WordPress with static export	28 April 2015
TR-34 - How to view and extract raw messages in common email clients	13 March 2015
TR-33 - Analysis - CTB-Locker / Critroni	17 February 2015
TR-32 - key-value store and NoSQL security recommendations	10 February 2015
TR-31 - GHOST / CVE-2015-0235 - glibc vulnerability - gethostbyname	29 January 2015
TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)	16 December 2020
TR-29 - NTP (Network Time Protocol) daemon - ntpd - critical vulnerabilities	2 January 2015
TR-28 - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, are vulnerable to critical padding oracle attack - CVE-2014-3566	15 October 2014
TR-27 - GNU Bash Critical Vulnerability - CVE-2014-6271 - CVE-2014-7169	10 October 2014
TR-26 - Security Recommendations for Web Content Management Systems and Web Servers	28 April 2015
TR-25 - Analysis - Turla/Pfinet/Snake/Uroburos/Pfinet	10 July 2014
TR-24 - Analysis - Destory RAT family	3 June 2014
TR-23 - Analysis - NetWiredRC malware	26 November 2014
TR-22 - Practical Recommendations for Readiness to Handle Computer Security Incidents	15 December 2020
TR-21 - OpenSSL Heartbeat Critical Vulnerability	17 April 2014
TR-20 - Port evolution: a software to find the shady IP profiles in Netflow	18 February 2014
Training And Technical Courses Catalogue 2014	29 January 2014
TR-19 - UDP Protocols Security - Recommendations To Avoid or Limit DDoS amplification	8 July 2015
TR-18 - PBX and VoIP Security - Recommendations	19 February 2014
TR-17 - Java.Tomdep (Apache Tomcat Malware) - Information, Detection and Recommendation	22 November 2013
TR-16 - HoneyBot Services - Client Data Collection	14 October 2013
TR-15 - Hand of Thief/Hanthie Linux Malware - Detection and Remediation	29 August 2013
TR-14 - Analysis of a stage 3 Miniduke malware sample	3 July 2014
TR-13 - Malware analysis report of a Backdoor.Snifula variant	29 May 2013
TR-12 - Analysis of a PlugX malware variant used for targeted attacks	17 January 2014
TR-11 - Security Flaws in Universal Plug and Play (UPnP)	30 January 2013
TR-10 - Red October / Sputnik malware	16 January 2013
TR-09 - Malware Discovery and potential Removal (Windows 7)	31 August 2012
CIRCL 2011 trend report	29 August 2012
TR-08 - CIRCL automatic launch object detection for Mac OS X	23 January 2015
TR-07 - HOWTO find SMTP headers in common Email clients	13 March 2015
TR-06 - DigiNotar incident and general SSL/TLS security consequences	7 September 2011
TR-05 - SSL/TLS Security of Servers in Luxembourg	22 August 2011

Presentations

Description	Last update
CSIRT Tooling: Best Practices in Developing, Maintaining and Distributing Open Source Tools	8th November 2018
Fail frequently to avoid disaster or how to organically build a threat intel sharing standard	7th December 2017
How to better understand DDoS attacks from a post-mortem analysis perspective using backscatter traffic Luxembourg Internet Days 2017	15th November 2017
DDoS and Attribution: Observations of Attacks against North Korea	15th November 2017
IoT dinosaurs - don’t die out	24 October 2017
An extended analysis of an IoT malware from a blackhole network	1st June 2017
Challenges for law firms: IT security threats and incidents for law firms - practical examples	12 May 2017
Honeypots Observations and Their Usefulness	15 March 2017
Introduction to Forensic at the #cybersecurity4success conference	3 October 2016
Data Mining in Incident Response - Challenges and Opportunities	13 May 2016
Experiences with Paste-Monitoring	18 March 2016
Four years of practical information sharing MISP - Malware Information Sharing Platform & Threat Sharing	25th February 2016
Information Sharing and Taxonomies Practical Classification of Threat Indicators using MISP	26th January 2016
Improving Data Sharing to Increase Security Research Opportunities	2nd November 2015
cve-search - a free software to collect, search and analyse common vulnerabilities and exposures in software	9th October 2015
Protect your data, protect your life. Data Destruction Day	22nd September 2015
New ZeroMQ functionality in MISP	2nd July 2015
Sharing Threat Indicators and Security Ranking, an opportunity for the Internet Community	18 November 2014
Attackers benefit from sharing information. How can you benefit, too? at ICTSpring	4 July 2014
The void - An interesting place for network security monitoring Cynthia Wagner, Marc Stiefer (RESTENA), Alexandre Dulaunoy, Gérard Wagener (CIRCL) at TNC 2014	19 May 2014
Information Sharing Cornerstone in Incident Detection and Handling at DBIR presentation in Paris	15 May 2014
Darknet and Black Hole Monitoring a Journey into Typographic Errors at Honeynet Project Workshop in Warsaw	12 May 2014
An Overview of Security Incidents Targeting Citizen How the Attackers Are Deceiving Us?	15 March 2014
Passive DNS - Common Output Format	14 February 2014
Who targets the journalists? and how? A review of the attack surface in our digital society	7 February 2014
Malware Information Sharing Platform or How to Share Efficiently IOCs Within a Country	26 July 2013
BGP Ranking Scoring ASNs Based on Their Potential Maliciousness	23 June 2013
ASMATRA: Ranking ASs Providing Transit Service to Malware Hosters	29 May 2013
Another Perspective to IP-Darkspace Analysis	29 January 2013

The Digital First Aid Kit

The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for citizen, human rights defenders, bloggers, activists and journalists fac ing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.

Description	Last update
	2nd September 2014
	2nd September 2014
	2nd September 2014
	2nd September 2014
	2nd September 2014
	2nd September 2014

The Digital First Aid Kit (German Edition)

Description	Last update
	18th March 2015
	26th March 2015

Security Advisories

Description	Last update
CVE-2017-13671 - Vulnerability in MISP (Malware Information Sharing Platform) and Threat Sharing - potential persistent cross site scripting vulnerability in the comments	25th August 2017
CVE-2015-5721 - Vulnerability in MISP (Malware Information Sharing Platform) - potential PHP Object injection vulnerability	4th August 2015
CVE-2015-5720 - Vulnerability in MISP (Malware Information Sharing Platform) - XSS in template creation	4th August 2015
CVE-2015-5719 - Vulnerability in MISP (Malware Information Sharing Platform) - Incorrect validation of temporary filenames	4th August 2015
CVE-2015-4096 - Vulnerability in CIRCLean where security measure can be bypassed with polyglot files	30th June 2015
CVE-2015-1035 - Vulnerability in HRIS software (HRMS product) - Reflective XSS	30th June 2015
CVE-2015-1036 - Vulnerability in HRIS software (HRMS product) - SQL injection (as an authenticated user)	30th June 2015
CVE-2015-4099 - SysAid “Service Desk” - security advisory 02 - Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)	30th June 2015

Other publications

Description	Last update
Coordinated Vulnerability Disclosure (CVD) Policy	18th June 2025
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection	15th March 2018
Responsible Vulnerability Disclosure	10th January 2015
Traffic Light Protocol (TLP) - Classification and Sharing of Sensitive Information	March 2014
CIRCL - Request for Proposals	Regularly Updated

Report an Incident

0001-01-01T00:00:00Z

Report an Incident

Incidents can be reported via e-mail or phone. See our contact page for details including OpenPGP information.

What is an Incident

Any adverse event whereby some aspect of security could be threatened, as described in ITU-T E.409.

Some examples of computer security incidents are:

Unauthorized use of a computer system
Compromised systems with malware
Phishing attempts
Website defacement
Software vulnerabilities (check our Responsible Vulnerability Disclosure procedure)

If you want to review a website/phishing URL before submitting a notification to us, you can use CIRCL URL Abuse.

Guideline for Incident Reporting

DISCLAIMER: If you consider criminal prosecution by filing a complaint, contact the police at first.

If you believe you encountered or identified an incident, please complete - as detailed as possible - the form available at

Anonymous contact form

or send an - preferably GPG/PGP encrypted - email to

info@circl.lu

In case of emergency, you reach CIRCL on their direct phone line

(+352) 247 88444

All reported information will be treated confidentially.

Recommendations

CIRCL encourages you to implement the following guidelines:

CIRCL should be informed as soon as possible once an incident has been detected or suspected
- The first action to undertake should be contacting CIRCL
- CIRCL may act as support for advising you on emergency actions that could be performed
As far as possible, actions performed on systems/services should aim to preserve evidences
Once an incident has been detected, every actions undertaken in relation with this incident should be noted
who, what, when, why, expected outcome of the action and actual outcome
This implies actions that are dedicated to be performed on systems/services or not
The crime scene should neither be altered nor modified (as far as possible)
- Instead of turning off a system, unplugging the network connection is usually the better choice regarding the possibility of evidence collection
- Software, applications, files, data or logs should not be installed, re-installed, copied, moved or deleted from the impacted system/services
- This guideline applies also to systems/services other than those impacted by the incident: in case of incident, other systems/services can be helpful for the collection of (additional) evidences or to understand/identify the root cause of the incident
No major changes should be implemented on the impacted systems/services
- No actions other than those dedicated to contain the incident should be performed
- The eradication of the root cause of the incident/the recovery from the incident should not be performed without evaluating the impact on the evidence
When reporting, please be specific about time and time-zone.
- Don’t forget to include contact details including phone numbers or PGP keys if available.
In the scope of collecting evidences, we advise to have a look at the following technical procedure:

Confidentiality

The primary goal of CIRCL is to help the victims of information security incidents (mainly in Luxembourg), respecting the strict confidentiality of the reported incidents at the same time. CIRCL will not give any details to third-parties without the prior consent of the victims.

In case of legal complaints, CIRCL helps the Luxembourgish law enforcement agencies. A search warrant is one of the techniques used by law enforcement agencies to clear out a current legal investigation.

CIRCL’s role is to respond to information security incidents along with its coordination. CIRCL is on the front line for the sole interest of the information security in Luxembourg.

Security Advisories

0001-01-01T00:00:00Z

Services

0001-01-01T00:00:00Z

CIRCL provides a large range of services on a national scale:

Incident Coordination and Incident Handling

The available services are:

Reporting of security incidents
Incident identification, triage, analysis and response
Technical investigation:
- Incident correlation
- Malware analysis and reverse engineering
- System and network forensic analysis
- Security vulnerability assessment
- Information leak analysis and data mining
Online services to support incident response and analysis
- https://pandora.circl.lu/ - quick, private and simple suspicious document analysis.
- https://lookyloo.circl.lu/ - check and review URLs and website.
- https://hashlookup.circl.lu/ - hashlookup online service to check the existence of a file in known public distributions.
Threat indicators and intelligence sharing platform for the private sector - MISP
International and national CERT/CSIRT cooperation and also with Local Incident Response Teams (LIRT)
Incident coordination might also include vulnerability handling and responsible vulnerability disclosure on incident reporter’s request
Access to the CIRCL newsletter
Training And Technical Courses (PDF Catalogue)

Incident Handling Support Tools and Services

Pandora is an analysis framework to discover if a file is suspicious and conveniently show the results.
URL Abuse and LookyLoo to check and review security of URLs
cve-search Common Vulnerabilities and Exposures (CVE) web interface and API
IP address to ASN mapping whois service including 4 years of historical data
Passive DNS, historical DNS records database (access on request, contact us)
Passive SSL services, historical database of SSL certificate per IP address (access on request, contact us)
Dynamic malware analysis platform (access on request, contact us)
Threat indicators sharing platform for private sector - MISP (access on request, contact us)
Network services exposure change detection

Data Feeds and Early Detection Network

Private and public organizations in Luxembourg can benefit from our early detection network by hosting a sensor in their unused network spaces
CIRCL provides a contextual feed containing all software vulnerabilities including visibility ranking in Luxembourg

Additional Request or Research Project Partnership

CIRCL is also working with private and public organizations in order to foster research in the security field. Don’t hesitate to contact us, if you would like to discuss a research partnership.

CIRCL is actively working on different projects where contributors are welcome to participate and reuse software in their own organizations.

CIRCL

CIRCL Team Members

Team Members

Operational Core Team

Business and Legal Support Team

Anonymous Incident Report Form

Botfree.lu - Luxembourg anti-botnet support - ACDC Luxembourg support center

Botfree.lu - Luxembourg anti-botnet support - ACDC Luxembourg support center

My PC is infected and I am looking for support

I received a malicious or suspicious link

I have a security incident in my company

I found illegal content on the Internet, what should I do?

Where can I find more documentation about security?

I have a different information security incident, not matching any of the above categories. Whom can I contact?

About the European Advanced Cyber Defense Center project

CIRCL - Contact

Postal address

Important: An appointment is required for every meeting in our offices.

Telephone

E-mail (ticketing system)

CIRCL Situational Awareness

Introduction

Topic: IoT security

Observed abuse using UDP packets with shell escaped payload

URL lifetime in shell escaped payload

URL activity in shell escaped payload

Topic: Human errors

DNS queries (A) received by honeypot

Classification of this document

References

Revision

Mission Statement

RFC2350

Accreditations

News

Press release

RSS

Open Data at CIRCL

Open Data at CIRCL

Open Data Definition

Open Data Available at CIRCL

CVE and vulnerability information daily JSON dump

BGP Ranking data dump per AS number

Allaple malware infection statistics (raw data)

Classification datasets

Papers about Image Matching

CIRCL operational statistics

Academic researchers who used our Open Data

Classification of this document

Revision

Privacy notice

Privacy notice

About this privacy notice

Processing of personal data

What personal data do we collect on our website and to which end?

Does our website use cookies?

How long do we retain your personal data?

Sharing personal data

Security of your personal data

Your rights as a data subject

Projects and Software Developed by CIRCL

Projects

Other Projects

Early Detection Network

CIRCLean - USB key sanitizer

Panopticon - A System for a Network of Trusted Proxy Servers

AIL framework - Framework for Analysis of Information Leaks

Free Software

BGP Ranking

pcapdj

urlquery Python API

cve-search

lnf-tools

VirusTotal-tools

traceroute-circl

IP-ASN-history

Student jobs and internships

Publications and Presentations

Publications

Presentations