Publications and Presentations on CIRCL

Account Hijacking

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for citizen, human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.

Account Hijacking

Are you having a problem accessing an email, social media or web account? Does an account show activity that you do not recognize? There are many things you can do to mitigate this problem.

CIRCL - AI Strategy

Mon, 01 Jan 0001 00:00:00 +0000

AI Strategy

Vision & Mission

Our vision is to enhance the capabilities of our Computer Security Incident Response Team (CSIRT) by strategically integrating Artificial Intelligence. AI is not a replacement for human analysts but a powerful tool to augment their expertise.

Our mission is to leverage AI to process, analyze, and extract value from data sources that are currently underutilized, thereby improving our operational outcomes in threat intelligence and incident response. Additionally to automate repetitive and easily reproducible existing processes.

CIRCL - Coordinated Vulnerability Disclosure (CVD) Policy

Mon, 01 Jan 0001 00:00:00 +0000

CIRCL - Coordinated Vulnerability Disclosure (CVD) Policy

CIRCL, in its role as a Computer Security Incident Response Team (CSIRT) under the NIS 2 Directive, receives reports concerning vulnerabilities in ICT products, ICT services, or processes, or discovers such vulnerabilities through its own activities. This Coordinated Vulnerability Disclosure (CVD) policy outlines the structured process CIRCL follows, acting as a trusted intermediary to facilitate interaction between the reporting entity/individual and the manufacturer or provider of the affected ICT product or service (’the entity concerned’).

CIRCL - Virtual Summer School (VSS) 2025

Mon, 01 Jan 0001 00:00:00 +0000

CIRCL - Virtual Summer School (VSS) 2025

From 7 July to 18 July 2025, CIRCL will host a two-week online training event featuring hands-on sessions on various tools developed and maintained by CIRCL, as well as training in digital forensics and incident response (DFIR) techniques.

All time slots are in local Luxembourg time. The sessions are open to everyone: just connect using the provided Zoom link.

The sessions will be recorded, and if the recording quality is sufficient, they will be published afterward.

CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection

Mon, 01 Jan 0001 00:00:00 +0000

Taxonomy - Schemes of Classification in Incident Response and Detection

A key success factor, while performing incident response, is to share a common understanding of the security incident. A common definition can be achieved by a shared vocabulary as described below.

Incident Classification

Incident classification is the classification of the method(s) used by an attacker through unauthorized access, destruction, disclosure, modification of data, and/or denial of service (ref:ENISA). An incident can cover one or more types of incident classification as described below.

DDoS Mitigation

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

DDoS Mitigation

A threat faced by many independent journalists, news sites and bloggers is having their voices muted because their website is down or defaced. In many cases, this maybe an innocent and frustrating problem, but on occasion, it may be due to a ‘denial of service’ attack or a website takeover. This section of the Digital First Aid Kit will walk you through some basic steps to diagnose potential problems. If your site is under a denial of service attack, some immediate options for next steps are suggested.

Devices Lost? Stolen? Seized?

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

Devices Seized? Lost? Stolen?

Is your device lost? Has it been stolen or seized by a third party? In any of these incidences it is very important to get a clear picture of what happened, what kinds of data and accounts may be vulnerable as a result and what steps must be taken to prevent the leaking and misuse of your information, contacts and accounts.

Geräte verloren? Gestohlen? Beschlagnahmt

Mon, 01 Jan 0001 00:00:00 +0000

2. Geräte verloren? Gestohlen? Beschlagnahmt

Der Digitale Erste-Hilfe-Kasten

Der Digitale Erste-Hilfe-Kasten ist ein Hilfsmittel, dass sich an Menschen richtet, die den häufigsten Arten der digitalen Bedrohung ausgesetzt sind. Der Erste-Hilfe-Kasten bietet eine Reihe von Werkeugen zur Selbstdiagnose für Bürger, Menschenrechtsaktivisten, Blogger, Aktivisten und Journalisten, die selbst Ziel von Angriffen werden, sowie Leitlinien für digitale Notfallhelfer, um einen bedrohten Nutzer zu unterstützen.

Glossary

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

Glossary

DDoS / Distributed Denial of Service Attack: A ‘Denial of Service’ attack is where a malicious user (or users) crowd out legitimate users of a service such as a website or a chat server. Sometimes it’s one ‘attacker’ trying to do this to your site, which doesn’t usually cause much of a problem - unless you pay for bandwidth. More common is the ‘Distributed’ Denial of Service (DDoS), where an attacker uses thousands of machines under his control to targets a site.
DNS Record: The DNS record is like the master contact list of phone book of the internet. All website servers are identified by a series of numbers and/or coded letters (the IP Address) - Google.com is 74.125.228.69, for example. By changing this record, you can give out a different IP Address for a website, i.e. a new hosting provider’s address or a proxy for your original website.
Domain Name: The human-readable name of your website - Google.com, for example.
End-to-end encryption: means that messages or files leave your device encrypted and remain encrypted until they reach the rights address (a specific user).
Hibernate: A process by which the computer will attempt to use the least amount of energy while providing the ability to boot up quickly. Like the sleep state, the system shuts down the display, hard drives and remotely connected devices, but will continue providing enough power to the computer to start quickly. It does this by writing the content of the memory to a file on the disk. On some computers the hibernate state can lower the security of the system. See also: Sleep
IM: Instant Messaging. Examples of Instant Messaging are services like Google Chat and Facebook Chat, or any service using the XMPP (Jabber) method.
Nameserver: When a browser wants to find a website it will first contact a name server. This tells the browser to connect the domain name (Google.com) to it’s internet address / IP Address (74.125.228.69) via it’s DNS Record (above). By changing the DNS record at a name server, you can ‘point’ the browser to a different server.
- Technically speaking the browser still checks with /etc/hosts before going to DNS, that’s how one can block access to FB on their computer by routing facebook.com to another IP address. It is also useful for accessing some websites blocked through DNS blocks.
Sleep: The operating system shuts down the display, hard drives and remotely connected devices off but will continue providing enough power to the computer to start quickly. Unlike the Hibernate state, the content of the memory is not written to disk.
SSL: See explanation Transport Layer Encryption or Wikipedia
SRV or Service record: A Service record or SRV record is the record in the Domain Name System that defines the location, (the hostname and port number) of servers for specified services.
Threat modeling: a way to make a assessment of the threats you are facing, the origin from the threat and the assets you are trying to protect. The threat can vary depending on your location, what you do and who you are working with.
Transport Layer Encryption: are cryptographic protocols (Transport Layer Security (TLS) and Secure Sockets Layer (SSL) designed to provide secure communication channels over the Internet.
Vetting: is the process of performing a background check on an individual or an organization before engaging into a financial, service or other type of relationship with them.
Website host: The server where your website and its files/databases are stored.
See also

About The Digital First Aid Kit

The Digital First Aid Kit is a collaborative effort of EFF, Global Voices, Hivos & the Digital Defenders Partnership, Front Line Defenders, Internews, Freedom House, Access, Qurium, CIRCL, IWPR, Open Technology Fund and individual security experts who are working in the field of digital security and rapid response. It is a work in progress and if there are things that need to be added, comments or questions regarding any of the sections please go to Github.

IXPs Operational Security

Mon, 01 Jan 0001 00:00:00 +0000

Operational Security of Internet Exchange Points (IXPs)

Overview

Internet Exchange Points (IXPs) are important elements for the overall Internet operational infrastructure. They are the fundament, allowing shortest path routing, network latency limitation and flexible peering in regional areas. An IXP includes a significant number of network components which interact with users who have different levels of trust. Ensuring an adequate operational security allows the IXP to provide stable, efficient and secure services to their users.

Konto-Diebstahl

Mon, 01 Jan 0001 00:00:00 +0000

1. Konto-Diebstahl

Der Digitale Erste-Hilfe-Kasten

Konto-Diebstahl

Sie wollen auf Ihre E-Mails, soziale Netzwerke oder einen ihrer anderen Online-Dienste zugreifen, haben aber Probleme beim Anmelden? Möglicherweise gibt es auf einem Ihrer Online-Konten seltsame Aktivitäten, die Sie so nicht nachvollziehen können? Der Verdacht auf einen Konto-Diebstahl liegt nahe. Keine Panik, denn es gibt Möglichkeiten, um diesen Problemen zu begegnen.

Learning from the Recent Windows/Falcon Sensor Outage - Causes and Potential Improvement Strategies in Linux with Open Source

Mon, 01 Jan 0001 00:00:00 +0000

Learning from the Recent Windows/Falcon Sensor Outage: Causes and Potential Improvement Strategies in Linux Using Open Source Solutions

At the time of writing, most people have probably heard about the massive Windows outage caused by a faulty kernel driver in Falcon Sensor, a CrowdStrike software. On Friday, July 19, 2024, a software configuration update designed to target newly observed malicious artifacts used in cyberattacks prevented several million Windows machines to boot. How can a configuration file crash an OS? Because the real issue is not the configuration file itself, but the kernel driver using it. Let’s take a quick, non-technical tour of the potential reasons behind this situation, how it is addressed in the Linux kernel, and what you as users or customers can do to avoid such issues.

Malware

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

Malware

‘Malware’ is malicious software that facilitates an unauthorized takeover of your device by another user, government or third party to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage. Malware is used to gain control of devices. It exploits access to the device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers. If you suspect a malware infection on your device here are some things you can do:

Responsible Vulnerability Disclosure

Mon, 01 Jan 0001 00:00:00 +0000

Responsible Vulnerability Disclosure

CIRCL, with its role as a CERT, receives reports about new vulnerabilities in software and hardware products or discovers them itself. The process of responsible vulnerability disclosure is described in the document to ensure an adequate collaboration with the vendors and/or the reporters. The two main objectives of the procedure are to get the vulnerability corrected and to ensure a safe notification to the users or customers at the end of the overall process.

Secure Communication

Mon, 01 Jan 0001 00:00:00 +0000

The Digital First Aid Kit

Secure Communication

This section will provide you with guidance on ways to establish secure communication when reaching out for help when confronted with a potential digital attack. As a general rule, it is important to understand that most ’normal’ communications tools are not very secure against eavesdropping. Mobile and landline phone communication is not encrypted and can be listened to by governments, law enforcement agencies, or other parties with the necessary technical equipment. Sending unencrypted communication is like sending a postcard, anyone who has access to the postcard can read the message. Sending encrypted communication is like placing the postcard inside a safe and then sending the safe, which only you and those you trust know the combination to and are able to open and read the message.

Summer hackathon - Open Source Security Hackathon - Improving and integrating CERT/CSIRT tools

Mon, 01 Jan 0001 00:00:00 +0000

Summer hackathon - Open Source Security Hackathon - Improving and integrating CERT/CSIRT tools

CIRCL organises the fourth Open Source Security Software Hackathon on August 7-9 2018.

This 3-days Hackathon is dedicated to Free/Open Source Software in the field of cybersecurity. The aim is to gather various developer groups to collaborate on challenging programming problems in the field of cybersecurity: from information sharing, network/system forensic, data mining challenges, network/computer exploitation or defense. The objective of the Open Source Security Software Hackathon is also to improve the interoperability and exchange between the different security tools. We would like to focus (but not limit) to applicability on the CERT/CSIRT community.

TR-05 - SSL/TLS Security of Servers in Luxembourg (August 2011)

Mon, 01 Jan 0001 00:00:00 +0000

Overview

The SSL/TLS cryptographhic protocols are used to ensure confidentiality, integrity and authentication of data communications, for instance between a customer and a company during a transaction in a web shop on the Internet. Without the invention and dominant usage of SSL/TLS, confidential communication like money transfers and online shopping wouldn’t be possible today. Correct implementation and configuration of SSL/TLS are therefore vital for establishing a trustful relation between online businesses and their customers.

TR-06 - DigiNotar incident and general SSL/TLS security consequences (September 2011)

Mon, 01 Jan 0001 00:00:00 +0000

Overview

It appears that recently an attacker or a group of attackers gained access to the certificate management infrastructure of the Dutch Certificate Authority (CA) ‘DigiNotar’. The attacker issued several certificates for high profile sites. These certificates can be used to intercept information on communication paths that are usually trusted for their integrity and authenticity. It is highly advised to install all available browser and operating system updates and to remove the compromised DigiNotar CA certificate.

TR-07 - HOWTO find SMTP headers in common Email clients

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Next to the user visible part of the mail body, emails also contain a header part, normally not visible to the user. The body mainly consists of the message itself while the header contains meta informations, most of which was added by the servers that handled the email.

For attackers it is easy to modify information, which is visible to the user, like for example the “From” field, to send spoofed emails. Email is therefore not reliable.

TR-08 - CIRCL automatic launch object detection for Mac OS X

Mon, 01 Jan 0001 00:00:00 +0000

Abstract

Current Mac OS X malware often persists and automatically starts by using the built-in launch system ¹. This tool makes use of Automatic Folder Actions ² in order to create a very basic but effective way of monitoring the addition of new launch objects to standard locations. In case a new object is placed in one of the monitored directories, a pop-up informs the user about the change, who then has in turn to decide if the change was legitimate or not. The new version is also monitoring locations where plug-ins are installed, for instance for common Internet browsers. The list of locations is displayed below. Besides displaying added files, this tool can also set up a log file where changes are recorded.

TR-09 - Malware Discovery and potential Removal (Windows 7)

Mon, 01 Jan 0001 00:00:00 +0000

What is Malware / Ransomware

Malware is any kind of malicious unwanted software which may prevent your PC from working properly. Ransomware is malicious software which deny access to your PC. The intruder likes to force you to pay some ransom to get back access again.

Goal of the paper

Depending on the Malware your computer is infected with, this paper could help you to get access back to your PC again.

TR-10 - Red October / Sputnik malware

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Red October is a malware family, also named Sputnik, which was detected in October 2012 by Kaspersky. It was active since 2007, installations have been spotted around the globe and targets were diplomatic and governmental agencies. The malware usually was sent by email to selected people in the respective organizations. As a cover, different office file formats have been used to transport the loader of the malware, using different exploits to drop the malicious content. After several stages of unpacking, the malware is running persistently on the computer and only when it successfully probes internet connectivity, it decrypts a separate file and starts to behave maliciously: it connects to a Command and Control server, awaiting new commands or downloading and executing specific malware modules.

TR-11 - Security Flaws in Universal Plug and Play (UPnP) - Disable UPnP

Mon, 01 Jan 0001 00:00:00 +0000

Overview

UPnP (Universal Plug and Play) is a network protocol that allows to discover network services and also is able to (re-) configure network equipment in order to seamlessly make network devices work together. When turned on, this network protocol is accessible on UDP port 1900. This port must not be accessible from the internet (unless one has good reason to do so). According to the research of Rapid 7 ¹, the service is widely turned on on Internet facing devices and therefore accessible from the Internet. At most, home Internet routers are concerned.

TR-12 - Analysis of a PlugX malware variant used for targeted attacks

Mon, 01 Jan 0001 00:00:00 +0000

Overview

This report is the analysis of a Remote Access Tool (RAT) which is usually named PlugX (also known as Gulpix, Korplug). This malware is often used in targeted attacks against private organizations, governments, political organization and even some individuals. This PlugX variant is interesting on several aspects like the use of a perfectly valid signed binary in order to perform its attack. It also features mechanisms in order to defeat protection like Windows UAC (User Account Control). The purpose of the analysis is to improve the detection at the potential victims site but review the security measures in place within other organization to limit the impact of such targeted attack.

TR-13 - Malware analysis report of a Backdoor. Snifula variant

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Trojan horses and particularly information stealing malware are a prevalent risk in information security. According to Symantec, Snifula is a family of information stealing trojan horses known since 2006 and the developers enhanced it over the years up to the current version (see report for a history). The actual version is - like its predecessors - not spread very widely, but has some unusual and underestimated capabilities that go farther than stealing passwords or files from an infected computer. A main ability of the malware is the X.509 certificate on file-system stealing functionality, which is in its maliciousness beyond the usual information stealing scenarios and generally only considered being a theoretical attack in most organizations. This report shows that the threat is real and being used in targeted attacks - and that the attackers can reach this goal by using documented Windows functions only.

TR-14 - Analysis of a stage 3 Miniduke malware sample

Mon, 01 Jan 0001 00:00:00 +0000

Overview

In the scope of targeted attacks with a malware labeled as Miniduke by Kaspersky Labs, CIRCL was interested in the way the malware’s later stages work and what kind of interesting information they reveal (e.g. techniques, style, IOCs). No public analysis was found except the mention in Kaspersky’s report of a custom backdoor, so CIRCL took one of the known samples and started this analysis.

Report

Analysis of a stage 3 Miniduke malware sample (version 1.2, July 3 2014)

Recommendation

CIRCL recommends private organizations or any potential targets to verify the Indicator of Compromise (IOCs) during the year 2012 contained in the report to detect any potential infection. CIRCL can be contacted in case of detection.

TR-15 - Hand of Thief/Hanthie Linux Malware - Detection and Remediation

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A recent Linux malware targeting Linux desktop users has been seen in some forums. The malware is called “Hand of Thief” or Hanthie. Usually Linux malware tends to compromise Linux server installations and not desktop users. But in the case of Hanthie, it’s different, the malware is targeting Linux desktop installations. The core functionalities of the malware are form and cookie grabbing in Firefox, Chrome and Chromium. There is a backdoor functionality to access the PC via a reverse shell or via a SOCKS connection.

TR-16 - HoneyBot Services - Client Data Collection

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CIRCL HoneyBot services consist of the distributed operation and exploitation of CIRCL HoneyBots. These services are part of a research project with the aim to improve security on Internet. A CIRCL HoneyBot is a low-interaction honeypot running on an embedded device, that is deployed in the premises of CIRCL partners. The HoneyBot listens to unused IP addresses specified by the partner. The HoneyBot sensor located in an unused network space of the partner (from one IP address to multiple IP addresses). The unused network space has no production network traffic and the traffic reaching such network space can be called background noise. This background noise contains malicious opportunistic attacks along with other traffic like backscatter traffic due to DDoS or misconfigurations. The CIRCL HoneyBot project is now part of the D4 project.

TR-17 - Java.Tomdep - Information, Detection and Recommendation

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Java.Tomdep is a network worm copying itself between Apache Tomcat servers. When successful, it opens a backdoor connection to several Command and Control (C&C) servers. The reasons for CIRCL to address this threat in a technical report are the following:

High number of Apache Tomcat installations in Luxembourg
Simple and successful propagation process
Installation of a back door which allows full access to the compromised server
Imaginable follow-up scenarios (malware spreading to visitors, DDoS)

Background Information

The malicious software, when installed on a Tomcat server, start scanning the network for other Tomcat servers and tries to log in with a number of weak username-password combinations. If it is successful, it copies itself to the targeted server.

TR-18 - PBX and VoIP Security - Recommendations

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Private Branch Exchange (PBX), Voice over IP (VoIP) servers and clients are nowadays core communication components within small and large organizations. A PBX is a complete information systems integrating communication facilities including access to public switched/routed networks.

The security of PBX and VoIP elements is a key element to limit abuse and especially the theft of services. In the past years, PBX attacks are quite regular due to lack of security. The attacks especially allow the attackers to make toll fraud. The victims are directly impacted in their phone bills from such fraud. The losses regarding such vulnerabilities are not to be underestimated and can represent an important threat to the financial operation of an organisation.

TR-19 - UDP Protocols Security - Recommendations To Avoid or Limit DDoS reflection / amplification

Mon, 01 Jan 0001 00:00:00 +0000

Overview

DDoS (Distributed Denial-of-Service) attacks are used to render computer or information systems inaccessible. Attackers can abuse different network protocols in order to achieve their goals. In the past years, TCP protocol was regularly used to conduct Denial-of-Service attacks, but abuse of UDP protocols recently increased. UDP protocols provide many advantages for the attackers, e.g. IP address spoofing or stateless-connectivity. Some open (e.g. public NTP) services and inadvertently (e.g. SIP or Chargen) unfiltered services relying on UDP protocols are still widely open on the Internet and consequently accessible to potential abuse. In this document, recommendations are proposed to system and network administrators in order to minimize the risks associated with open services relying on UDP protocols.

TR-20 - Port evolution, a software to find the shady IP profiles in Netflow

Mon, 01 Jan 0001 00:00:00 +0000

Scope

Netflow records are frequently used for accounting purposes in large Networks. Most router are capable of exporting Netflow data. In CIRCL’s Netflow research program we collaborate with partners having large networks willing to exploit Netflow data for monitoring their infrastructures regarding information security incidents. The following objectives are addressed:

Validate Received Information Incident response teams or abuse handling teams receive information about incidents such as compromised hosts in their networks. Incident related information is sometimes volatile and quickly outdated. Therefore, it is essential to quickly validate received information. Netflow data can be used to validate this kind of information.

TR-21 - OpenSSL Heartbeat Critical Vulnerability

Mon, 01 Jan 0001 00:00:00 +0000

Overview

OpenSSL software is vulnerable to memory leakage to the connected client or server. In other words, anyone can remotely retrieve sensitive information (e.g. secret keys, passwords, confidential document) from the memory of the remote servers without leaving traces. This is a critical vulnerability and you must patch your OpenSSL software as soon as possible.

OpenSSL version 1.0.1 and 1.0.2-beta releases are affected by this vulnerability including 1.0.1f and 1.0.2-beta1. Prior version are not vulnerable to this vulnerability.

TR-22 - Recommendations for Readiness to Handle Computer Security Incidents

Mon, 01 Jan 0001 00:00:00 +0000

Overview

The objective of this document is to provide a set of practical procedures to enhance incident response team and ensure readiness in case of computer and cybersecurity incidents. The document includes the practical aspects on how to perform minimal response actions like gathering evidences from system or network in order to support LIRT (local incident response team) or public/private CERT supporting organizations in incident handling.

This document contains technical details about gathering evidences that might be updated at a regular interval. Check the revision of the document.

TR-23 Analysis - NetWiredRC malware

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines, based on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to attribute this specific malware to the malware NetWiredRC. The malware is a feature-rich Remote Access Tool, and compared to the identified predecessors, this specific version even implements more features.

Pre-Analysis

Sample A

Hashes:

Type of Hash	Hash
MD5	37e922093d8a837b250e72cc87a664cd
SHA1	c4d06a2fc80bffbc6a64f92f95ffee02f92c6bb9
SHA-256	3946d499d81e8506b8291dc0bd13475397bbcd7cb6e2c7ea504c079c92b99f62
{: rules=“groups”}

VirusTotal results for sample A

Engine	Result
McAfee	Artemis!37E922093D8A
TrendMicro-HouseCall	TROJ_GEN.F47V0407
Comodo	TrojWare.Win32.Amtar.JEI
McAfee-GW-Edition	Artemis!37E922093D8A
ESET-NOD32	Win32/Spy.Agent.NYU
Ikarus	Backdoor:Signed.Agent
AVG	BackDoor.Agent.AWYR
=====
Scanned: 2014-04-07 - 49 scans - 7 detections
{: rules=“groups”}

Signature check for sample A

TR-24 Analysis - Destory RAT family

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines, based on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to attribute this specific malware to the Destory RAT family. The malware is a feature-rich Remote Access Tool.

The malware is used by a specific group of attackers specialized in industrial espionage starting from 2007 (Command Five). CIRCL published this report about Destory RAT family due to the regular confusion with the PlugX malware family. PlugX and Destory RAT malware are technically different for their respective initialization phase, utilized obfuscation techniques and other parts that will be outlined in this document, showing that both families are initially coming from the same malware writers, following the same internal and network communication protocols and using the same code for the vast majority of the code.

TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos

Mon, 01 Jan 0001 00:00:00 +0000

Overview

During the last weeks, various samples of Uroburos (also named Urob, Turla, Sengoku, Snark and Pfinet) were analyzed and reports have been published ¹²³⁴, also analyses about a suspected predecessor, Agent.btz, are public ⁵. CIRCL analyzed an older version of Turla, known as a representative of the Pfinet malware family. The objective of this analysis is to gather additional Indicators of Compromise or behaviors in order to improve detection and to discover additional insights into the malware. This document is not considered a final release but a work-in-progress document.

TR-26 Security Recommendations for Web Content Management Systems and Web Servers

Mon, 01 Jan 0001 00:00:00 +0000

Recommendations for Web Content Management System - CMS

Web content management systems (CMS) are regularly used to maintain website content. But as they offer a lot of flexibility to the authors, they also offer a huge opportunity to attackers like modifying content in order to host malicious content and infect users with malware who navigate to these websites.

Extensions and Plugins in CMS

A major source of vulnerabilities are the extensions and plugins of Web Content Management Systems. Even though the core CMS part can be vulnerable, the vulnerabilities in plugins are accounted for more than 80% of the CMS vulnerabilities.

TR-27 - GNU Bash Critical Vulnerability - CVE-2014-6271 - CVE-2014-7169

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A critical vulnerability has been discovered in GNU Bash by abusing specially crafted environment variables which allows local and remote code execution.

How to test if your bash is vulnerable

In a shell, execute the following, which is testing the system wide GNU Bash binary to test if you are vulnerable to CVE-2014-6271:

env x='() { :;}; echo vulnerable' bash -c "echo test"

To test if you are vulnerable to CVE-2014-7169:

cd /tmp; rm -f /tmp/echo; env 'x=() { (a)=>\' bash -c "echo date"; cat /tmp/echo

If the date is not printed, you are not vulnerable to CVE-2014-7169.

TR-28 - The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, are vulnerable to a critical padding oracle attack - CVE-2014-3566

Mon, 01 Jan 0001 00:00:00 +0000

Overview

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue. POODLE stands for “Padding Oracle On Downgraded Legacy Encryption”.

A recently discovered vulnerability shows that SSLv3 should not be used. The usage must be considered insecure. The majority of clients support recent versions of TLS. As there is no update available, the main recommendation is to completely disable SSLv3 support on your TLS/SSL servers and clients. Installations should only rely on recent versions of TLS.

TR-29 - NTP (Network Time Protocol) daemon - ntpd - critical vulnerabilities

Mon, 01 Jan 0001 00:00:00 +0000

Overview

NTP, the Network Time Protocol, is a standardized protocol providing ways to synchronize time on various operating systems. The Unix implementation called ntpd is vulnerable to multiple critical vulnerabilities. The NTP daemon (ntpd) is included in various operating systems and embedded systems. One of the vulnerabilities (CVE-2014-9295) is a remote code execution vulnerability allowing unauthenticated attackers to execute code with the privilege level of the NTP daemon (ntpd). If you are running an NTP server, you should upgrade as soon as possible especially if the Autokey Authentication feature is enabled.

TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)

Mon, 01 Jan 0001 00:00:00 +0000

Overview

In addition to CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents, TR-30 provides a list of evidence acquisition support tools which can be used by Local Incident Response Teams (LIRT). The tools can be used in order to gather forensic evidences from Microsoft Windows systems including memory, registry or other evidences.

We recommend to acquire evidences on the running systems, especially memory and registry evidences. In case of encrypted disks or hardware RAIDs, we recommend to do live disk acquisition before the shutdown of the system. If the system is not encrypted, we recommend an off-line disk acquisition, if possible with a write-blocker device. In order to test if a disk is encrypted, the EDD tool mentioned below can help you.

TR-31 - GHOST / CVE-2015-0235 - glibc vulnerability - gethostbyname() (associated function calls)

Mon, 01 Jan 0001 00:00:00 +0000

Overview

GHOST / CVE-2015-0235 is a ‘buffer overflow’ vulnerability affecting the gethostbyname() function calls in the glibc library. An attacker could exploit this vulnerability to execute code on a remote host by supplying an invalid DNS response.

Vulnerable systems

If your glibc library is equal or below version 2.17, you are probably vulnerable to CVE-2015-0235.

Non-vulnerable systems

If your glibc library is equal or above version 2.18, you are not vulnerable to CVE-2015-0235.

TR-32 - key-value store and NoSQL security recommendations

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Key-value stores, caches or NoSQL databases became an important piece of software in today’s internet and web services. In contrast to conventional DB sytems, the security model of NoSQL data stores is often very limited due to their inherent nature to be used within internal trusted networks. Strong attention should be given to the configuration of key-value stores especially regarding their access from the Internet.

General recommendations

Avoid listening and binding on all available network interfaces. If your key-value store is used on a single system, it is recommended to bind on localhost network interface.
If your key-value store is exposed to the Internet, TCP ports used by the key-value store need to be firewalled or packet-filtered.
If your key-value store supports authentication, access-control or encryption features, it is recommended to enable those.
If your key-value store supports disactivation of commands, limit the available set of commands to those which are required (e.g. if your application only needs read-only cache access, limit to read-only commands).
Don’t forget that key-value stores can be vulnerable to injection, too (just like SQL).
Logs access requests including failed authentications or authorizations to your key-value store.

Specific key-value store recommendations

Redis

Redis Security provides a good start to secure your Redis servers.

TR-33 Analysis - CTB-Locker / Critroni

Mon, 01 Jan 0001 00:00:00 +0000

Overview

In times of data stealing malware, making direct profit - straight from the wallet of the victim to the pocket of the attacker - is not the usual case. Scareware and ransomware are a few exceptions. While scareware usually just pretends to harm the user’s computer, ransomware takes the user’s files as hostiles by encrypting them and requests a ransom to be paid to decrypt the files. While the first implementations of ransomware lacked a correct implementation of the encryption process, the latest incarnation known as CTB-Locker/Critroni has overcome this limitation. And comes with several new features as well.

TR-34 How to view and extract raw messages in common email clients

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Next to the user visible part of the mail, emails also contain a header part and a body part, normally not visible to the user. The body mainly consists of the message itself while the header contains meta informations, most of which was added by the servers that handled the email. CIRCL TR-07 already explains how to extract the headers part from the most popular email clients.

This document describes the process on how to extract the full email (including headers, body and attachment parts). The information can be used to analyze fully the email (are there any malicious files? or suspicious files attached the mails? are there any URLs?). The extracted raw messages can be reported send to a CERT like CIRCL.

TR-35 What ressources do you need to setup a CERT Team

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Setting up a new CERT team will require you to gather some ressources in order to start working in good conditions.

Human ressources

This is probably the most important part: you need a team of people able to work together because you will have to investgate in cases that will requires a vast amount of competencies that cannot be covered by one single person.

Hardware

Infrastructure

It is always better to have your own infrastructure, which means some powerfull servers with a lot of RAM and fast disks for the investigations.

TR-36 Example setup of WordPress with static export

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CIRCL warns very often about security issues in Content Management Systems (e.g. Wordpress, Joomla, Typo3, Drupal) or their plug-ins ¹. To minimize the risk, the best practice is to always keep track of the installed plug-ins, uninstall unnecessary components and keep the plug-ins and main software components up-to-date. Unfortunately Content Management Systems are sometimes vulnerable to 0-day exploits for which by definition no protection is available. Also, sometimes plug-ins are no longer maintained, or the administrators are just busy with other important tasks so that they cannot react to new known threats in a timely manner.

TR-37 - VENOM / CVE-2015-3456 - Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation

Mon, 01 Jan 0001 00:00:00 +0000

Overview

VENOM / CVE-2015-3456 is a kind of ‘buffer overflow’ vulnerability in the QEMU Floppy Disk Controller (FDC) emulation. This vulnerability affects a variety of software products relying on QEMU itself or the Floppy Disk Controller emulation part only. Even if floppy disk emulation is not available, the vulnerability can be triggered.

Vulnerable systems

Vulnerable systems to CVE-2015-3456:

A maintenance release of the Oracle VirtualBox 4.3.28 should be released soon to fix CVE-2015-3456.

TR-39 - CIRCL-SOPs Standard Operational Procedures

Mon, 01 Jan 0001 00:00:00 +0000

Overview

The Computer Incident Response Center Luxembourg (CIRCL) is the CERT for the private sector, communes and non-governmental entities in Luxembourg.

CIRCL provides useful tools and services like MISP¹, DMA², Passive DNS³, Passive SSL⁴ and URL Abuse⁵ which could be used free of charge by its constituency and the CERT/CSIRT community. All services except URL Abuse need registration to obtain login credentials.

The CIRCL-SOPs aims to show how to work with the provided services in case of a suspicion or an attack. This procedures are intended for security teams and CERTs/CSIRTs.

TR-40 - Allaple worm activity in 2015 and long-term persistence of worm (malware) in Local Area Networks

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Allaple worm family has been discovered in late 2006. The Allaple worm is a polymorphic malware designed to spread over Local Area Network and Internet. The worm was designed by a dissatisfied customer of an insurance company in order to DDoS some websites in Estonia. CERT-FI described in 2007 how to detect and identify Allaple variants on the network via ICMP packets generated by the malware. By analyzing blackhole data close to RFC1918 networks , CIRCL discovered a significant persistence of this worm family in Local Area Networks.

TR-42 - CVE-2015-7755 - CVE-2015-7756 - Critical vulnerabilities in Juniper ScreenOS

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Two critical vulnerabilities were discovered in Juniper equipment (from ScreenOS 6.3.0r17 through 6.3.0r20). The vulnerability CVE-2015-7755 allows unauthorized access to the remote administration of the devices without prior knowledge, beside the username. The attacker can take full control of the devices. The vulnerability CVE-2015-7756 allows passive attackers to monitor VPN encrypted traffic and decrypt all the traffic without prior knowledge of the key materials.

Vulnerable systems

Juniper devices using ScreenOS 6.3.0r17 (April 2014) through 6.3.0r20 (December 2015) for CVE-2015-7755.
Juniper devices using ScreenOS 6.2.0r15 (September 2012) through 6.3.0r20 (December 2015) for CVE-2015-7756.

Non-vulnerable systems

Other juniper products not relying on ScreenOS

Details on the Vulnerability

Both security issues were discovered by Juniper during an internal code review. The initial publication was on 17th December 2015.

TR-43 - Installing MPSS 3.6.1 to use a Intel Xeon Phi Coprocessor on Ubuntu Trusty 14.04 LTS

Mon, 01 Jan 0001 00:00:00 +0000

The “Intel Manycore Platform Software Stack” is a series of Intel software components to run the Intel Xeon Phi Coprocessor. The Intel Xeon Phi is a coprocessor computer architecture for high-performance computing.

Most of the documentations available on the Internet is made for RedHat based systems, this document aims to help someone willing to configure MPSS on Ubuntu Trusty 14.04 LTS.

The code base provided by Intel is pretty huge and not all of it has been installed, only the modules required to connect to the system.

TR-44 - Information security - laws and specific rulings in the Grand Duchy of Luxembourg

Mon, 01 Jan 0001 00:00:00 +0000

Introduction (EN)

Information security is covered by many different laws and specific rulings in the Grand Duchy of Luxembourg. As within many countries, because of the complexity of the topic, these texts are hardly accessible among a single chapter. Penal Code was modified several times in order to adapt to the behavioral reality of a population using, for the better or the worst, the Internet and related communication technologies.

Following is a brief description, including a title, reference of the articles, domain of application, example and endured sanctions of many of Luxembourg law’s that most commonly apply to all users of the Internet. This brief summary is intended to acquaint you with the major applicable text of laws and not to offer a detailed exposition. It is to be consider as an incomplete work in progress, which will be further edited as the legal framework related to the Internet and electronic communications evolve.

TR-45 - Data recovery techniques

Mon, 01 Jan 0001 00:00:00 +0000

Overview

In case of data loss, it is good practice to restore a tested backup. Sometimes, such a functioning backup is not available. This document intends to collect alternative ways to at least partially restore lost data from the source disk.

Disclaimer: In case data is lost or damaged it is highly recommended to work on a copy of the data and not on the original disk. Please see our document about acquisition first (TR-30).

TR-46 - Information Leaks Affecting Luxembourg and Recommendations

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Information leak: the publication (or trusted announcement of possession) of stolen or otherwise acquired digital information like user profiles, credentials or other digital assets.

Information leaks have happened many times in the recent past. Sometimes, the number of affected people is quite small like in the leak of a customer database of a small web shop, where we probably would try to contact the few affected individuals or their employer’s IT department. But most of the time we face leaks that contain several million people’s private information.

TR-47 - Recommendations regarding Abuse handling for ISPs and registrars

Mon, 01 Jan 0001 00:00:00 +0000

Overview

To address security issues, for instance the notification to the technical administrators, registrants and hosting providers about a compromised web site, it is essential to be able to identify the correct contact information. These can usually be retrieved from the respective WHOIS database of the Regional Internet registry (RIR), the domain name registry’s database or a Referral Whois (RWhois).

These lookups can be automated in order to be used with automatic abuse notifications.

TR-48 - Cyber-Threats Indicators Sharing, security-related actionable information and future of Personal Data Protection framework in the EU - MISP and GDPR

Mon, 01 Jan 0001 00:00:00 +0000

Abstract

This article exposes how cyber-threats indicators sharing platforms, such as the Malware Information Sharing and Threat Sharing Platform (MISP), can help all actors involved in information security and data protection within Europe in fulfilling their obligations under the future General Data Protection Regulation (GDPR) to apply in the European Union (EU). Although such kind of platform could be used in order to share personal data, the reason why such data is exchanged should be perceived as being within the legitimate interest of data controllers and the interest of the individuals whose data is being shared, therefore in line with the requirements of the GDPR.

TR-49 - CVE-2017-7494 - A critical vulnerability in Samba - remote code execution from a writable share

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A critical remote code execution vulnerability was found in Samba. An authenticated Samba client (with write access) can execute arbitrary code with elevated privileges (usually root). CVE-2017-7494

Vulnerable systems

Samba (version 3.5.0 and onwards)

Samba is included, by default, in many integrated devices or operating system distributions like

asustor
Debian DLA-951-1 DSA-3860-1
Eurostor NAS
FreeNAS
Netgear
RedHat
SUSE
Synology NAS
QNAP
Ubuntu - USN-3296-2: Samba vulnerability

Non-vulnerable systems

Systems running Samba (below version 3.5.0) are not vulnerable to this specific vulnerability. Nevertheless, if you run such an outdated version, we strongly recommend to update to the latest version.
CIFS implementation not relying on Samba code base like Microsoft Windows are not vulnerable to this specific vulnerability.

Details on the Vulnerability

The vulnerability is located in rpc_server/srv_pipe.c where pipe names can include “/” values inside. smb_probe_module() (line 484) is used to load a pipename containing a library previously uploaded to the writeable share. The issue lies on the ability to load shared backend modules in Samba using smb_probe_module().

TR-50 - WPA2 handshake traffic can be manipulated to induce nonce and session key reuse

Mon, 01 Jan 0001 00:00:00 +0000

Overview

All modern Wi-Fi networks are protected by Wi-Fi Protected Access II (WPA2). The Wi-Fi standard contains a weakness that could be exploited to read previously assumed to be encrypted traffic, or to modify or inject traffic. As the problem is not bound to specific implementations, the problem can be assumed to be present in any product or device.

Vulnerable systems

Due to the nature of this problem, the vulnerability might exist in all Wi-Fi implementations. CERT.org maintains an extensive list of affected products.

TR-51 - How to react to fraudulent acts of third party invoicing or requesting funds without showing any purchase order

Mon, 01 Jan 0001 00:00:00 +0000

Overview

There are many deliberate fraudulent acts occurring frequently in Luxembourg as means of securing unfair or unlawful gains, of which fake bills and advertising scams are unfortunately common. CIRCL is often contacted by victims of such scams, and would like to issue a clear warning related to such frauds as false billing, fake invoicing or related fake advertising.

This TR document describes the nature of the scams and provides hints on how to react.

TR-52 - Forensic Analysis of an HID Attack

Mon, 01 Jan 0001 00:00:00 +0000

Overview

If a malicious hardware device which probably looks like an usual USB key is plugged into the USB port of a PC but then act like a keyboard, we are talking about Human Interface Device (HID) Attacks. This attacks are known since many years but recently gain popularity.

A reasons for the increasing popularity of the attacks might be the availability of cheap hardware which can be used for the attacks. Also the hardware has become more reliable and easier to handle over time.

TR-53 - Statement about WHOIS and GDPR

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CIRCL is the CERT/CSIRT (Computer Emergency Response Team/Computer Security Incident Response Team) for the private sector, communes and non-governmental entities in Luxembourg.

In this context, one of the tasks of CIRCL is to protect the citizens, companies and all other types of organizations, within, but not limited to Luxembourg from malware, phishing and other digital threats.

In order to achieve this with maximum effect, CIRCL tries to make the malicious content inaccessible, while informing the responsible people about the compromised infrastructure at the same time.

TR-54 - Sextortion scam emails - I know your password

Mon, 01 Jan 0001 00:00:00 +0000

Overview

During the past few days, we have received an increasing number of reports about scam attempts.

Usually the malicious emails involved in the scam start with sentences such as I know that XYZ is your password, with the scary part being that XYZ is in fact a real password of the targeted user.

In one example, as displayed below, the attacker explains that they compromised the victim’s PC by infecting it with a remote access malware. They also state that they have activated the webcam of the PC and recorded a video clip of the victim.

TR-55 - SquashFu - an alternate Open Source Backup solution, resilient to Crypto Ransomware attacks

Mon, 01 Jan 0001 00:00:00 +0000

Overview

One of CIRCLs tasks is to protect the citizens, companies and all other types of organizations, within, but not limited to Luxembourg from malware, phishing and other digital threats. During the last years, one specific threat was - from an attacker’s perspective - very successful. At the same time it turned out to be devastating (unrecoverable loss of information) or at least expensive and problematic for the victims. We are talking about the rise and success of Crypto Ransomware, which we covered in other articles already:

TR-56 - HTTP Strict Transport Security

Mon, 01 Jan 0001 00:00:00 +0000

Overview

For good reasons, regulations and privacy good practices require the usage of an encryption layer between end-user browsers and web servers the user is performing a transaction with (e.g. online shop purchase, online banking transaction). This encryption layer is commonly recognized by the ‘https://’ prefix of a URL, along with the lock symbol in the address bar of the browser. It represents an implementation of X.509 based SSL/TLS encryption, which is an extension to the HTTP protocol the world wide web is based on. Basically all end-systems and servers are technically capable of understanding this protocol.

TR-567d30 - CIRCL Unveils Festive Nostalgic Initiatives - Gopher Protocol and Bulletin Board System Revival

Mon, 01 Jan 0001 00:00:00 +0000

In the spirit of holiday cheer and a nod to computing’s early days, CIRCL, the CERT for the private sector of Luxembourg, is delighted to unwrap two nostalgic gifts for tech enthusiasts. We are proud to announce the activation of our website in the venerable Gopher protocol, offering users a festive journey into the roots of the digital era at gopher://gopher.circl.lu.

But the holiday surprises don’t end there! In celebration of the season, CIRCL has introduced a Bulletin Board System (BBS) at bbs.circl.lu. Running on TCP ports 23, 64 (40 column PETSCII), and 128 (80 column PETSCII), this holiday-themed BBS is a nod to a bygone era when digital communities thrived on the simplicity of text-based interactions. Users can experience this festive blast from the past with modern terminal programs or, for those with a holiday spirit for retro hardware, on slightly older computers like Amiga 500 or even the classic C64.

TR-57 - Ransomware - Effects and precautions

Mon, 01 Jan 0001 00:00:00 +0000

Introduction

Ransomware, in this context specifically Cryptoransomware, is a term for a malware type that blocks access to data on resources of the victim unless a ransom is paid. Cryptoransomware is not a new phenomena. The first Cryptoransomware was released in 1989 (‘AIDS Trojan’), however the technique to make the data inaccessible was different to today’s cryptographic approaches. In addition, no anonymous payment system was available at that time. To deal with this, money was requested to be sent to a postbox in Panama. Carrying out such attacks for profit wasn’t lucrative due to the associated risks.

TR-58 - CVE-2020-0796 - Critical vulnerability in Microsoft SMBv3 - status and mitigation

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A critical remote code execution vulnerability was found in SMBv3 protocol, affecting servers and client machines serving an SMB share. An unauthenticated SMV client can execute arbitrary code with elevated privileges, which could allow an attacker to take full control over the attacked system. This vulnerability has the potential for a wormable attack, meaning that the vulnerability could be exploited automatically from vulnerable system to vulnerable system. CVE-2020-0796

Vulnerable systems

Currently by Microsoft confirmed vulnerable systems as in https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005:

TR-59 - Remote Work - In times of a crisis

Mon, 01 Jan 0001 00:00:00 +0000

Overview

In a crisis situation as we experience it since March 2020, remote work (aka telework, telecommute, tele work, distance work and sometimes “home office”) is often the best or sole option to keep an organization operational.

Cybercriminals are well aware of this situation and will try to attack employees and the organizations.

Many very good articles have been released addressing the security of the companies and home workers on a strategical, organizational and technical level.

TR-60 - Phishing - Effects and precautions

Mon, 01 Jan 0001 00:00:00 +0000

How do you define Phishing? What type of phishing exist?

Phishing is defined as an attempt to obtain sensitive information (like access credentials, financial information or credit card details) by establishing a trust relationship with the potential victim. The act of phishing is a social engineering attack and doesn’t require any technical exploitation of vulnerabilities. Instead it focuses on the human and their weaknesses, like inattentiveness, misinterpretation or mislead judgment caused by the influence of the attacker’s correspondence.

TR-61 - Critical vulnerabilities in Microsoft Exchange

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Several critical vulnerabilities in Microsoft Exchange have been discovered. The vulnerabilities are actively being exploited.

CVE-2021-26412 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26854 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27065 - Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27078 - Microsoft Exchange Server Remote Code Execution Vulnerability

Vulnerable systems

cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23::::::
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18::::::
cpe:2.3:a:microsoft:exchange_server:2010:sp3:::::: (CVE-2021-26857)

Fixing and mitigation

For organisations having vulnerable Microsoft Exchange servers, we recommend the following:

TR-62 - Leak of Facebook Data from 533 Million Users

Mon, 01 Jan 0001 00:00:00 +0000

Overview

On Saturday 3rd April 2021, a leak of Facebook records (533 million users) became publicly accessible on a leak-market forum. The leak contains information such as mobile phone numbers, Facebook ID, first names, last names, location and additional information such as date of birth or work place. There are 188201 entries for Luxembourg. Facebook mentioned that the vulnerability used to extract the information was reported and fixed in 2019.

TR-63 - Vulnerabilities and Exploitation of Pulse Connect Secure

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Multiple organisations in various countries were compromised using Ivanti Pulse Connect Secure products. The threat-actor(s) used different old and new vulnerabilities to gain access to publicly facing Pulse Connect Secure devices. The vulnerabilities exploited are the following:

CVE-2019-11510 - In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.
CVE-2020-8260 - A vulnerability in the Pulse Connect Secure < 9.1R9 admin web interface could allow an authenticated attacker to perform an arbitrary code execution using uncontrolled gzip extraction.
CVE-2020-8243 - A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
new (and unpublished) CVE-2021-22893 - SA44784 - 2021-04: Out-of-Cycle Advisory: Pulse Connect Secure RCE Vulnerability. Vulnerability in Pulse Connect Secure allows a remote unauthenticated attacker to execute arbitrary code via unspecified vectors.

Recommendation

The vendor states on their website The solution for these vulnerabilities (CVE-2021-22893) is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.4 We will update the advisory once the timelines are available.. The new updated software is not published yet. But there is a workaround XML file to disable the vulnerable features such as “Windows File Share Browser” and “Pulse Secure Collaboration”. Reboot is required after the application of the workaround.

TR-64 - Exploited Exchange Servers - Mails with links to malware from known/valid senders

Mon, 01 Jan 0001 00:00:00 +0000

What have we observed?

Several organizations received complaints about the fact that their email accounts are sending spam, phishing and infected emails to their partner organizations. The emails are usually replies to ongoing email threads, where an attacker pastes a greeting sentence and URLs above the original mail content.

Attackers/adversaries do that to improve the social acceptance rate of their malspam. Indeed this strategy seems to be very successful.

Here a sample in English: (URLs are disarmed)

TR-65 - Vulnerabilities and Exploitation of Log4j (Remote code injection in Log4j)

Mon, 01 Jan 0001 00:00:00 +0000

Overview

CVE-2021-44228 vulnerability enables remote code injection on systems running Log4j. The attacker has to trigger a log entry generation containing a JNDI request. The vulnerability can be exploited without authentication. The exploit needs to be processed by Log4j. Impacted Log4j versions are: 2.0 to 2.15.0. The fix was partial for version 2.15.0 as additional vulnerabilities such as CVE-2021-45046 were published in 2.16.0. Later version 2.17.0 was published fixing an additional vulnerability CVE-2021-45105. Then version 2.17.1 was published fixing an additional vulnerability CVE-2021-44832.

TR-66 - Webservers with mod_status like debug modules publicly available leak information

Mon, 01 Jan 0001 00:00:00 +0000

What have we observed?

Badly configured web servers expose server-side status pages for debug and performance monitoring purposes. Those status pages include client requests, including the partial or full GET request. With badly designed web services, this will leak information that can be used by the attacker, to either gain access to the web service or gather valuable information about the back-end infrastructure.

An example can be found on the following link.

TR-67 - local privilege escalation vulnerability in polkit's pkexec utility.

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A vulnerability CVE-2021-4034 was discovered in the the tool pkexec (part of polkit) included in many Linux distributions such as Ubuntu and Redhat in a package called PolicyKit. The CVSS s3 Base Score is 7.8.

The attack complexity is very low and enables privilege escalation resulting in root access on the operating system. The vulnerability can even be exploited by users not being sudoers.

All versions before 0.105 (included) of Polkit (formerly PolicyKit).

TR-68 - Best practices in times of tense geopolitical situations

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Geopolitical conflicts can be the effect of complex political situations. Tragically, they might result in wars or warlike operations. The situation can even get more complicated when surrounding countries, allies and partners threaten with consequences and sanctions. In the digital world, and keeping the above dynamic in mind, it is not unusual to see an increased activity when it comes to cyber attacks towards other countries’ government infrastructure, prominent targets or simply whatever looks like low hanging fruit.

TR-69 - How to choose an ICT supplier from a security perspective

Mon, 01 Jan 0001 00:00:00 +0000

Summary

In the past we saw some IT suppliers not taking appropriate care on their customers IT security. So we decide to release a document which can help mall and medium-sized enterprises (SMEs) to evaluate the IT security services of their suppliers.

Overview

According to the European Commission, small and medium-sized enterprises (SMEs) represent 99% of all businesses in the EU [1].

SMEs often do not has resources to setup and maintain their IT infrastructure internally and on their own. The alternative to outsource this activities to ICT suppliers became a very popular and legit alternative. At least to the point where the ICT suppliers take their job serious especially with the point of view on IT security aspects.

TR-70 - Vulnerabilities in Microsoft Exchange CVE-2022-41040 - CVE-2022-41082

Mon, 01 Jan 0001 00:00:00 +0000

Overview

Two vulnerabilities were reported and affect Microsoft Exchange Server (on-premise).

CVE-2022-41040 - Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability

Vulnerable systems

Microsoft Exchange 2013 cpe:2.3:a:microsoft:exchange_server:2013:*:*:*:*:*:*:*
Microsoft Exchange 2016 cpe:2.3:a:microsoft:exchange_server:2016:*:*:*:*:*:*:*
Microsoft Exchange 2019 cpe:2.3:a:microsoft:exchange_server:2019:*:*:*:*:*:*:*

Scope of the problem

The vulnerability, when exploited, allows an attacker to remotely control the Exchange Server. While the vulnerability can only be exploited by authenticated users, it must be understood that any email user credentials will probably qualify as an authenticated user. Attackers that possess lists of phished credentials can benefit from it for their criminal purposes.

TR-71 - FortiOS - heap-based buffer overflow in sslvpnd (exploited) - FortiOS SSL-VPN - CVE-2022-42475

Mon, 01 Jan 0001 00:00:00 +0000

Overview

A heap-based buffer overflow vulnerability in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

FortiGuard Labs PSIRT Advisories

Vulnerable systems

FortiOS version 7.2.0 through 7.2.2
FortiOS version 7.0.0 through 7.0.8
FortiOS version 6.4.0 through 6.4.10
FortiOS version 6.2.0 through 6.2.11
FortiOS version 6.0.0 through 6.0.15
FortiOS version 5.6.0 through 5.6.14
FortiOS version 5.4.0 through 5.4.13
FortiOS version 5.2.0 through 5.2.15
FortiOS version 5.0.0 through 5.0.14
FortiOS-6K7K version 7.0.0 through 7.0.7
FortiOS-6K7K version 6.4.0 through 6.4.9
FortiOS-6K7K version 6.2.0 through 6.2.11
FortiOS-6K7K version 6.0.0 through 6.0.14

Scope of the problem

The vulnerability is exploited for some time (the exact date of the beginning of exploitation is unknown). If you have a FortiOS device with the SSL-VPN publicly accessible, you should consider a standard incident response procedure (even if you have auto-update activated).

TR-72 - Vulnerable Microsoft Exchange server metrics leading to alarming situation

Mon, 01 Jan 0001 00:00:00 +0000

Description

Many Microsoft Exchange Servers are left unmaintained, when it comes to patching them with the latest security updates. This introduces an enormous risk for the companies using those servers.

The main risks are:

a potential compromise of the server
accessing of private, confidential and/or business related data by third parties
unwanted modification or deletion of data
exfiltration of data
lateral movement and infection of other parts of the infrastructure
financial loss through blackmailing
productivity and financial loss by re-installing the infrastructure
reputation loss

Unfortunately, it is not uncommon to end up with a compromised Exchange server. We have seen countless cases in the last years. Vulnerabilities in Exchange are quite frequent and most of the time they have a high CVSS. Remote Code Execution Vulnerabilities are patched every few months. If these vulnerabilites are not patched by the updates of Microsoft or otherwise mitigated, there is a severe risk of the server being rapidly compromised.

TR-73 - Ransomware FAQ

Mon, 01 Jan 0001 00:00:00 +0000

Ransomware - Definition

A crypto ransomware is a type of malware that - when successfully executed - enumerates all (locally and remotely) accessible files and uses a strong cryptographic algorithm in order to encrypt the files the malware is configured to process. When the malware is implementing the cryptographic part correctly, it is practically impossible to decrypt the affected files without possessing the right key. From the victim’s point of view, the content of the files is lost. It can only be recovered by purchasing the key from the criminals or, if available, by restoring the files from a functioning backup which wasn’t accessible during the enumeration and encryption phase. In some cases, attackers may be able to gain full access to the infrastructure and destroy the backups from the backup server, making the recovery impossible.

TR-74 - A heap-based buffer overflow vulnerability [CWE-122] in FortiOS - CVE-2023-27997

Mon, 01 Jan 0001 00:00:00 +0000

A heap-based buffer overflow vulnerability (CWE-122) has been identified in FortiOS and FortiProxy SSL-VPN. This vulnerability allows a remote attacker to execute arbitrary code and commands by sending specially crafted requests.

Workaround

To mitigate the risk, it is recommended to disable SSL-VPN on the FortiOS device.

Recommendations

For FortiOS equipment users: Check if the currently running version is the latest one. If not, apply the available upgrades or implement the provided workaround.
If you rely on a service provider for security updates: Request information about the installed version and the most recent version available. If there is a discrepancy, insist on performing the upgrade.
If suspicious activity is detected in the logs indicating a compromised FortiOS device, initiate an incident response procedure. Patching alone is not sufficient if you don’t review logs and evidences.

Notifications

CIRCL (Computer Incident Response Center Luxembourg) has sent notifications to ISPs and known contact points when publicly exposed vulnerable devices were discovered. If you would like to directly share your IP resources for notifying the appropriate contact point, please reach out to us.

TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519

Mon, 01 Jan 0001 00:00:00 +0000

CVE-2023-3519 is a remote code execution (RCE) vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a vulnerable server. According to Helpnetsecurity, at this time there is no public PoC, but the vulnerability has been observed being exploited in the wild.

Affected Products

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297

Remediation

Patches have been released to address this vulnerability.

TR-76 - Multiple high severity vulnerabilities in CODESYS V3 SDK could lead to RCE or DoS

Mon, 01 Jan 0001 00:00:00 +0000

Microsoft researchers focusing on industrial control system found a significant number of vulnerabilities in CODESYS V3 software development kit which is used in multiple industrial devices such as programmable logic controllers (PLC).

Affected Products

all versions of CODESYS V3 prior to version 3.5.19.0

All variants of the following CODESYS V3 products in all versions prior V3.5.19.0 containing at least one of the components CmpApp, CmpAppBP, CmpAppForce, CmpFiletransfer or CmpTraceMgr are affected, regardless of the CPU type or operating system:

TR-77 - Spear phishing and voice call scams targeting corporate executives and their accounting department

Mon, 01 Jan 0001 00:00:00 +0000

This is an on-going voice call scam campaign which is targeting large companies and SMEs, and more specifically the financial/accounting departments of these companies. This scam has been on the rise in Luxembourg over the past days (late August 2023).

Sample Case

Below, you will find a sample phone call in English but can be also in French:

My name is 'Maître Guérin'. I am a lawyer from KPMG. I like to inform you about a pending invoice.

The president will send you an email to confirm the importance and confidentiality of the situation.

Than usually short time later the victim will receive a fake email like this impersonating the president/executive and spoofing a CSSF (or other regulator) with a similar email address.

TR-78 - CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways + CVE-2024-21888 + CVE-2024-21893

Mon, 01 Jan 0001 00:00:00 +0000

Ivanti has issued a security patch to rectify two significant vulnerabilities in all supported versions (9.x and 22.x) of Connect Secure and Policy Secure gateways. These include an authentication bypass issue (CVE-2023-46805) and a command injection flaw (CVE-2024-21887). If exploited, these vulnerabilities could enable a cyber threat actor to seize control of the impacted system. In addition to the two previous vulnerabilities, CVE-2024-21888 and CVE-2024-21893 are affecting Ivanti Connect Secure and Ivanti Policy Secure. CVE-2024-21888 is a privilege escalation vulnerability in web component allows a user to elevate privileges to that of an administrator. CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

TR-79 - AnyDesk Incident and Potential Associated Supply Chain Attack

Mon, 01 Jan 0001 00:00:00 +0000

An incident occurred at AnyDesk (reported on February 2, 2024), which appears to have been first detected on January 24, 2024, as indicated by the revocation of a certificate.

While AnyDesk Software GmbH has not confirmed any compromise of their software package signing materials or any impact on end-user services, several security researchers have been actively investigating the potential use of AnyDesk’s key materials in malware signing.

Recommendations

Review the software installed from AnyDesk Software GmbH, paying particular attention to the associated usage or audit trails of the service.
Execute the YARA rules mentioned below.
Follow the latest advice from AnyDesk Software GmbH, including updating their software to the newest version.

Vulnerable systems in Luxembourg

There are users of the AnyDesk software in Luxembourg, but we are not aware of any exploitation or incidents related to this matter.

Detection and Incident Response

YARA rules to detect Potential detection: AnyDesk certificate used, AnyDesk certificate used, but unrelated PE info and malicious AnyDesk .NET available at stairwell
YARA rules to detect compromised signing certificate of AnyDesk signature-base/yara

References

Compromised vendor AnyDesk Incident Response 2-2-2024
Reporter Proactive response: AnyDesk, any breach

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

TR-80 - Targeted SMS and fake phone center call targeting financial/banking services

Mon, 01 Jan 0001 00:00:00 +0000

Recent Phishing Scheme Combines SMS Alerts and Fraudulent Call Center Tactics

A newly identified phishing scam has emerged, employing SMS alerts that issue a fraud warning. These messages direct victims to a phone number located within the same country. Callers are greeted by what appears to be an official service, dubiously named ‘Centre Monétique Interbancaire de la Lutte Contre la Fraude’ or, in English, ‘Electronic Payment Center for the Fight Against Fraud.’ The initial telephone system recording is designed to sound professional, creating a facade of legitimacy. Following this recording, callers are connected to a supposed operator. This individual then requests various details typically required for blocking a card. However, in reality, the attacker exploits this information for fraudulent purposes.

TR-81 - Critical FortiOS vulnerabilities in sslvpnd and fgfmd

Mon, 01 Jan 0001 00:00:00 +0000

Two critical vulnerabilities in FortiOS:

A out-of-bounds write vulnerability [CWE-787] in FortiOS allows a remote unauthenticated attacker to execute arbitrary code or command via specially crafted HTTP requests. FG-IR-24-015 - CVE-2024-21762
A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon allows a remote unauthentified attacker to execute arbitrary code or commands via specially crafted requests. FG-IR-24-029 - CVE-2024-23113

Recommendations

Check the Fortinet upgrade tool to determine which version to install.
If you are using SSL VPN in FortiOS, Fortinet recommends disabling the SSL VPN as a workaround.
CIRCL advises initiating an incident response procedure, reviewing all logs, and especially scrutinizing any potential access from the VPN to other internal infrastructure.

Vulnerable systems in Luxembourg and Exploitation

The number of exposed devices running FortiOS within the IPv4 ranges of Luxembourg exceeds 650. These devices vary widely in their versions. We strongly recommend that any users or organizations using FortiOS review their current inventory, test the version, and assess their actual exposure.
Fortinet/FortiGuard Labs has confirmed the exploitation of CVE-2024-21762/FG-IR-24-015.

Detection and Incident Response

As of now, there are no detection rules available for these two vulnerabilities.

References

Vendor FortiOS - Out-of-bound Write in sslvpnd
Vendor FortiOS - Format String Bug in fgfmd

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

TR-82 - backdoor discovered in xz-utils - CVE-2024-3094

Mon, 01 Jan 0001 00:00:00 +0000

On March 29th, 2024, a backdoor (CVE-2024-3094) was discovered in xz-utils by Andres Freund while debugging some performance issue on an sshd daemin. The xz-utils package is commonly used for compressing release tarballs, software packages, kernel images, initramfs images and many others. The xz-utils include the liblzma library used by various software including sshd which is one of the known technique to abuse the backdoor.

Detection

We recommend reviewing the dynamic linking of the sshd daemon (as it’s one of the known ways to use the backdoor) to ensure there is no link to liblzma. You can do this by using the command ldd "$(command -v sshd)".

TR-83 - Linux Boot Hardening HOWTO

Mon, 01 Jan 0001 00:00:00 +0000

Linux Boot Hardening

Introduction

Having an encrypted disk to store your root file system and other files is good to protect your data from being read or tampered with offline. The way many Linux installations are made is by leaving a boot partition /boot un-encrypted and thus modifiable. So what prevents someone to tamper with your kernel or your boot loader … nothing, if secure boot is not implemented. Loading a malicious boot loader or kernel would completely break the security of your setup, as all your encrypted data would finally become accessible.

TR-84 - PAN-OS (Palo Alto Networks) OS Command Injection Vulnerability in GlobalProtect Gateway - CVE-2024-3400

Mon, 01 Jan 0001 00:00:00 +0000

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

TR-85 - Three vulnerabilities in Cisco ASA software/appliance and FTD software being exploited

Mon, 01 Jan 0001 00:00:00 +0000

Three vulnerabilities (CVE-2024-20359, CVE-2024-20358, and CVE-2024-20353) in Cisco ASA (Adaptive Security Appliance) software/appliance and FTD (Firepower Threat Defense) software have been discovered and published by Cisco as being actively exploited.

Fixes

Cisco provides software updates known as SSU (Security Software Update). We strongly recommend users update to the latest version and conduct further investigations as suggested below for signs of compromise.

Detection and investigative assessment

We strongly recommend users of Cisco ASA equipment follow the Cisco ASA Forensic Investigation Procedures for First Responders.

TR-86 - Check Point VPN Information Disclosure (CVE-2024-24919) - Actively Exploited

Mon, 01 Jan 0001 00:00:00 +0000

A critical information disclosure vulnerability (CVE-2024-24919) exists in Check Point VPN. Successful exploitation of this vulnerability allows a remote attacker to obtain sensitive information, including key materials, user credentials, and configuration files from the operating system.

Vulnerable Version And Products

Check Point Quantum Gateway and CloudGuard Network versions R81.20, R81.10, R81, R80.40.
Check Point Spark versions R81.10, R80.20.
CloudGuard Network
Quantum Maestro
Quantum Scalable Chassis
Quantum Security Gateways
Quantum Spark Appliances

Fixes

Check point published Preventative Hotfix for CVE-2024-24919 - Quantum Gateway Information Disclosure which includes the details about the hotfix to prevent the exploitation of the vulnerability.

TR-87 - CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor

Mon, 01 Jan 0001 00:00:00 +0000

CrowdStrike Agent causing BSOD loop on Windows - Faulty Update on Falcon Sensor.

Vulnerable Version And Products

Latest version of CrowdStrike Falcon Agent on Windows

Fixes and workaround

Boot Windows into Safe Mode or the Windows Recovery Environment
Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
Locate the file matching C-00000291*.sys, and delete it.
Boot the host normally.

We received reports that only the Windows Recovery Environment mode works, as the driver still seems to be loaded in safe mode.

TR-88 - Motivation, procedure and rationale for leaked credential notifications

Mon, 01 Jan 0001 00:00:00 +0000

Motivation, Procedure, and Rationale for Leaked Credential Notifications

Summary

In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL sends notifications about such leaks and explains the procedure we expect organizations to follow. The goal is to safeguard both the organization’s infrastructure and its customers, while ensuring compliance with legal requirements and maintaining trust.

TR-89 - Guidelines for Notifying CSIRT/CERT of Red Teaming and Penetration Testing Exercises - Enhancing Detection and Coordination

Mon, 01 Jan 0001 00:00:00 +0000

Objective

This document outlines recommended practices for notifying Computer Security Incident Response Teams (CSIRT) and Computer Emergency Response Teams (CERT) when organizations plan to conduct red teaming, penetration testing, or other cybersecurity exercises. It highlights the importance of communication, coordination, and technical readiness to detect and differentiate simulated attacks from real threats.

Who

The guidelines are applicable to organizations (in Luxembourg or abroad) performing security exercises that involve simulated attacks on production or critical infrastructure, especially those that could trigger alerts in national or sectoral CSIRTs and CERTs.

TR-90 - Vulnerability identified as CVE-2023-34990, affecting Fortinet FortiWLM

Mon, 01 Jan 0001 00:00:00 +0000

A relative path traversal vulnerability has been discovered in Fortinet FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. This vulnerability allows an attacker to execute unauthorized code or commands by sending specially crafted web requests.

Affected Products

Vendor: Fortinet
Product: FortiWLM
Versions:
- 8.6.0 through 8.6.5 (inclusive)
- 8.5.0 through 8.5.4 (inclusive)

Vulnerability Class

CWE-23: Relative Path Traversal
CWE-94: Improper Control of Generation of Code (‘Code Injection’)

Impact

Successful exploitation of this vulnerability could lead to the execution of arbitrary code or commands on the affected system.

TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software

Mon, 01 Jan 0001 00:00:00 +0000

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. This allows the attacker to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

The risk is greatly reduced if access to the management web interface is restricted to trusted internal IP addresses, adhering to best practice deployment guidelines.

TR-92 - Unused Domain Names and the Risks of Missing DNS SPF Records

Mon, 01 Jan 0001 00:00:00 +0000

Executive Summary

Many organizations maintain a broad portfolio of domain names, acquired for branding, strategic planning, or defensive purposes. However, a significant portion of these domains often remains unused or lacks proper DNS configurations, leaving them vulnerable to exploitation. One particularly critical oversight is the absence of DNS SPF (Sender Policy Framework) TXT records, which are essential to controlling the sources from which emails for a domain can be legitimately sent. This document highlights the risks associated with improperly configured domains and provides actionable recommendations to mitigate such vulnerabilities.

TR-94 - Ongoing Phishing Campaigns Targeting Microsoft 365 Tenants Lacking Multi-Factor Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Executive Summary

This report details ongoing phishing campaigns specifically targeting organisations utilizing Microsoft 365, with a primary focus on Office 365 tenants where Multi-Factor Authentication (MFA) is not enforced. Attackers leverage sophisticated social engineering tactics and convincing phishing pages to harvest user credentials. Successful compromise of accounts without MFA allows attackers immediate access, leading to potential data exfiltration, business email compromise (BEC), internal spear-phishing, and deployment of further malicious payloads. This report outlines the attack methodology, observed indicators, potential impact, and critical mitigation strategies, emphasizing the urgent need for MFA deployment.

TR-95 - Critical vulnerability - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. CVE-2025-53770 - CVE-2025-53771

Mon, 01 Jan 0001 00:00:00 +0000

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. For more details about CVE-2025-53770 and CVE-2025-53771.

TR-96 - Multiple Vulnerabilities in F5 Devices and Products - Impact and Mitigation

Mon, 01 Jan 0001 00:00:00 +0000

A nation-state actor has breached F5’s systems and stolen proprietary files, including portions of the BIG-IP source code and vulnerability details. This access gives the attacker a significant advantage, enabling them to discover new flaws and develop targeted exploits for F5 devices and software.

This TR applies to a wide range of F5 products, including BIG-IP iSeries and rSeries hardware, as well as BIG-IP (TMOS), Virtual Edition (VE), BIG-IP Next, and BIG-IQ software.

TR-97 - Supply Chain Compromise Propagating Through the npm Ecosystem (Shai-Hulud)

Mon, 01 Jan 0001 00:00:00 +0000

The incident involves a self-replicating worm, publicly referred to as “Shai-Hulud”, which has infected more than 500 npm packages, with an even broader impact in a second wave (Shai-Hulud 2.0) that delivered a different payload.

After gaining initial access, the malicious threat actor deployed malware designed to scan affected environments for sensitive credentials and exfiltrate these. The second version included a destructive payload capable of deleting the user’s home directory.

TR-98 - Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340) - Active Exploitation

Mon, 01 Jan 0001 00:00:00 +0000

Ivanti has released security updates for Endpoint Manager Mobile (EPMM) addressing two critical-severity vulnerabilities.

Successful exploitation allows unauthenticated remote code execution. Active exploitation has been confirmed in the wild, both worldwide and in Luxembourg.

CIRCL strongly recommends immediately initiating a full incident response procedure for all Ivanti EPMM instances, including compromise assessment and log review.

As EPMM is a mobile endpoint management solution, a compromise of the EPMM server can result in severe impact, including full control over managed devices, lateral movements and access to sensitive data.

Traffic Light Protocol (TLP) version 2 - Classification and Sharing of Sensitive Information

Mon, 01 Jan 0001 00:00:00 +0000

Traffic Light Protocol - TLPv2

The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.

Community: Under TLP, a community is a group who share common goals, practices, and informal trust relationships. A community can be as broad as all cybersecurity practitioners in a country (or in a sector or region) or MISP community.

Understanding and Responding to Distributed Denial-of-Service Attacks

Mon, 01 Jan 0001 00:00:00 +0000

Denial-of-service (DoS) attacks aim to overwhelm a specific application or website, draining the system’s resources and making it unavailable to legitimate users. There are several types of DoS attacks:

Network Resource Overload: This involves exhausting all available network capacities of the target, either through:
- Direct attacks like exploiting server weaknesses or flooding servers with excessive requests.
- Reflection amplification attacks, where the attacker uses a third-party server to redirect a large amount of traffic to the target, using spoofed IP addresses.
Protocol Resource Overload: Targets the session or connection capacities of the system.
Application Resource Overload: Focuses on using up the target’s computing or storage capabilities.

A DDoS attack isn’t solely about overwhelming volume; it can also target specific aspects of a network or application to exhaust resources. Such attacks may focus on exploiting vulnerabilities in protocols or applications, causing disruption without necessarily generating high traffic volumes.