Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 05 13:38
    New CIRCL OSINT: Phishing collection (via URLabuse service)
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - DarkHydrus delivers new Trojan that can use Google Drive for C2 communications
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - [Emering] FIN7 JScript Loader Malware
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - A journey to Zebrocy land
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - Felipe, a new infostealer Trojan
  • Aug 05 13:38
    New CIRCL OSINT: Kaspersky Lab: Spearphishing attack hits industrial companies
  • Aug 05 13:38
    New CIRCL OSINT: 2019-07-18: Newer "PoSeidon" aka "FindPOS" aka "FindStr" 15.10 Point-of-Sale Malware
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - Repository containting orignal and decompiled files of TRISIS/TRITON/HATMAN malware
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - Very nasty Linux backdoor with multiple components
  • Aug 05 13:38
    New CIRCL OSINT: Targeted phishing - PDF documents / phishkit
  • Aug 05 13:38
    New CIRCL OSINT: 2019-03-08: TerraLoader Signed -> JS RAT
  • Aug 05 13:38
    New CIRCL OSINT: IoT malware - Gafgyt.Gen28 (active) - 20190220 - 20190222
  • Aug 05 13:38
    New CIRCL OSINT: Shamoon potential samples
  • Aug 05 13:38
    New CIRCL OSINT: Turla Outlook White Paper
  • Aug 05 13:38
    New CIRCL OSINT: Blog Post: EMOTET INFECTION WITH ICEDID
  • Aug 05 13:38
    New CIRCL OSINT: US-CERT Alert (TA18-149A) HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - Turla renews its arsenal with Topinambour
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - .sg domain used to host malware
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - SWEED: Exposing years of Agent Tesla campaigns
  • Aug 05 13:38
    New CIRCL OSINT: OSINT - Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
Dharshan Shaun Ryan
@dharshanduck
hey guys, just side trecking a little, has anybody here come across this file extension, possibly related to a ransomware .w5qvw
:3
the extension is of an encrypted file
Sascha Rommelfangen
@rommelfs
Excellent first question in our humble new room! This file extension is probably not leading to too much information. Google has no hits. It’s either extremely new or random file extension. I would propose to look at other indicators that come alongside with the file extension. Look at the file content. Is it random? Does it have an extremely high entropy? If not, can you see a specific structure, like rearranged content or added headers?
Can you spot and extract the process that did the encryption? Some forensics might be necessary to identify and extract the malware. Starting a MISP event with this indicator would be great
Dharshan Shaun Ryan
@dharshanduck

well currently im off site (not at clients place) im planning to head over there, even checking the darknet (though barely even scratching the surface) nothing found.

my plan is to check the ransom note, looking for any indicators, then checking for the origin

currently my misp instance is not connected to other instances, im utilizing the feed system.

Sascha Rommelfangen
@rommelfs
If that fails, do you spot text files with instructions how to decrypt the encrypted files? They probably contain email addresses, BTC addresses, specific wording in the text. All of it can be usable in a MISP event
From there, other people might add information based on their skills
Dharshan Shaun Ryan
@dharshanduck
exactly, thats the plan
:smile:
Sascha Rommelfangen
@rommelfs
You can share the indicators with everyone and put information about victim or internal ticket numbers as org only
Once you’re connected
Dharshan Shaun Ryan
@dharshanduck
exactly, but the thing is it depends if my bosses plan to allow our instance to be connected to other instances :sweat_smile:
Sascha Rommelfangen
@rommelfs
Sure
You might want to elaborate on the benefits of sharing
Like correlation
Or extending knowledge
Or requesting help
...
Dharshan Shaun Ryan
@dharshanduck
yeah, would definitely do that
Dharshan Shaun Ryan
@dharshanduck
@rommelfs hey so i have some questions regarding sharing or effectively joining the misppriv comunity, but id put it in a pm to you or maybe via email
Sascha Rommelfangen
@rommelfs
Yes great, send the request to info@circl.lu
Dharshan Shaun Ryan
@dharshanduck
but in the mean time, is it possible for you to (whenever possible) to do an attribute search on the extension? .w5QVW
Sascha Rommelfangen
@rommelfs
There is no event containing this string on our instance.
Dharshan Shaun Ryan
@dharshanduck
hmm thanks, could be possibly something new
Sascha Rommelfangen
@rommelfs
it’s probably just randomized
Dharshan Shaun Ryan
@dharshanduck
meaning, one ransomware, various randomized encrypted extension each pc it runs on?
Sascha Rommelfangen
@rommelfs
randomized extension on each run so that it can’t be fingerprinted based on extension
Dharshan Shaun Ryan
@dharshanduck
that too makes sense
Dharshan Shaun Ryan
@dharshanduck
so we found it to be the Sodinokibi Ransomware based on this link within the ransomnote
• hxxp://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion
• hxxp://decryptor[.]top
seldem
@seldem
Hi all, Can you see the attributes of UUID: 5d01f1fa-cc24-4adb-b6b6-4c88950d210f ? I have a attribute warning on this event and cannot see any attributes attached to it.
Michal Purzynski
@michalpurzynski
with a bit of Apache magic we now have an SSO-ed version of MISP with machines authenticating with client certificates (and humans with SSO)
happy to share how we did that - what's the best way?
Sascha Rommelfangen
@rommelfs
Hi @michalpurzynski great to hear! You could put it in a descriptive GitHub issue or into the FAQ when it is not excessive
Trey Darley
@certbe-trey
@michalpurzynski Please do share!
Sascha Rommelfangen
@rommelfs
We have open training opportunities in September in Luxembourg.
24.09.2019 MISP Training - Threat Intelligence Analysts and Administrators https://en.xing-events.com/EJKDRZP
25.09.2019 MISP Training - Hands-on workshop https://en.xing-events.com/UEXXGRO
26.09.2019 MISP Training - Advanced developers session, including MISP core https://en.xing-events.com/CQYGYJQ
Trey Darley
@certbe-trey
Is anybody using IEPF yet?
Sascha Rommelfangen
@rommelfs
Risky answer: what’s that?
Trey Darley
@certbe-trey
@rommelfs Information Exchange Policy Framework (aka, TLP++). Cf. https://www.first.org/global/sigs/iep/
Sascha Rommelfangen
@rommelfs
not using it.
could be a taxonomy in MISP
Trey Darley
@certbe-trey

@rommelfs It already is: https://github.com/MISP/misp-taxonomies/blob/master/iep/machinetag.json

I just don't see anybody tagging events with it.

Sascha Rommelfangen
@rommelfs
oh, didn’t see it
great
cbboggs
@cbboggs
for some reason this room wouldn't show up in the search until I joined it manually by typing in the URL.. Oh well
Rainer Ginsberg
@cudor
@certbe-trey We use the permitted-actions predicate when sharing with associated communities, but not the other predicates.
Trey Darley
@certbe-trey
@cudor If you can say, have your results matched your expectations? Has there been much heavy-lifting in terms of community education?
Rainer Ginsberg
@cudor
@certbe-trey Our sharing communities are rather small (about a dozen organizations) and we meet in person regularly (three to four times a year). Adherence to the permitted actions tag (and other requirements) have been discussed and documented in the communities' sharing guidelines. From what I can tell, everyone follows those guidelines.
Trey Darley
@certbe-trey
@cudor Thanks for the feedback.