π™½π™΄πšƒπšπ™΄πš‚π™΄π™²

@netresec@infosec.exchange
1,096 Followers
534 Following
292 Posts

Experts in Network Forensics and Network Security Monitoring. Creators of #NetworkMiner, #CapLoader, #PacketCache, #PolarProxy and #RawCap.

#PCAP or it didn't happen!

Bloghttps://www.netresec.com/?page=Blog
Blueskyhttps://bsky.app/profile/netresec.com
Twitterhttps://twitter.com/netresec
GitHubhttps://github.com/Netresec
RSShttps://www.netresec.com/rss.ashx
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²20h ago
Show threadMichaΕ‚ "rysiek" WoΕΊniak Β· πŸ‡ΊπŸ‡¦Jun 10

As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.

I have also done some packet captures of my own.

I dive into the nitty-gritty technical details of what I found and how I found it on my blog:

Telegram is indistinguishable from an FSB honeypot
https://rys.io/en/179.html

Yes, my packet captures and a small Python library I wrote in the process are all published along.

#Telegram #InfoSec #Privacy #Surveillance #Russia

Telegram is indistinguishable from an FSB honeypot

Many people who focus on information security, including myself, have long considered Telegram suspicious and untrustworthy. Now, based on findings published by the investigative journalism outlet ISt

Songs on the Security of Networks
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
Signed malicious ConnectWise ScreenConnect installers hosted on Cloudflare R2 storage (by @lawrenceabrams)
https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/
Hackers turn ScreenConnect into malware using Authenticode stuffing

Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's  Authenticode signature.

BleepingComputer
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²2d ago
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²2d ago

@malware_traffic There's some unknown but interesting C2 traffic going on to net 104.16.0.0/13 (on CloudFlare). An HTTP POST is sent every 30 seconds (see Gantt chart) with gz compressed data.

The C2 servers use domain names like:
πŸ”₯ event-time-microsoft[.]org
πŸ”₯ windows-msgas[.]com
πŸ”₯ event-datamicrosoft[.]live
πŸ”₯ eventdata-microsoft[.]live

They also use this trycloudflare.com domain:
πŸ”₯ varying-rentals-calgary-predict.trycloudflare[.]com

Anyone knows what malware this is?

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 11

Researchers uncover how the Facebook app used localhost STUN communication with the browser to track visited websites in Covert Web-to-App Tracking via Localhost on Android. This trick works even if the user browses in incognito mode and uses a VPN.

The Meta Pixel uses a technique known as SDP Munging to insert the _fbp cookie contents to the SDP "ice-ufrag" field, resulting in a Binding Request STUN message sent to the loopback address as the following figure shows. This data flow cannot be observed using Chrome's regular debugging tools (such as DevTools).

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 9
Video: Detecting #PureLogs traffic with #CapLoader
https://netresec.com/?b=256a8c4
Detecting PureLogs traffic with CapLoader

CapLoader includes a feature for Port Independent Protocol Identification (PIPI), which can detect which protocol is being used inside of TCP and UDP sessions without relying on the port number. In this video CapLoader identifies the PureLogs C2 protocol. The PureLogs protocol detection was added to[...]

Netresec
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 9
LazouJun 7

Ein weiteres Tool, das ich nutze, ist #NetworkMiner

Es ist ein leistungsstarkes Open-Source-Tool für #NetworkForensics, das mir die Extraktion von Artefakten wie Dateien, Bildern, E-Mails und Passwârtern aus PCAP-Dateien ermâglicht. NetworkMiner kann auch live Netzwerkverkehr erfassen und detaillierte Informationen über jede IP-Adresse aggregieren, was für passive Asset-Discovery und Übersichten über kommunizierende GerÀte nützlich ist.

Seit 2007 hat sich NetworkMiner zu einem beliebten Tool fΓΌr Incident-Response-Teams und StrafverfolgungsbehΓΆrden entwickelt und wird weltweit eingesetzt.

FΓΌr mich ein unverzichtbares Werkzeug, um Netzwerkdaten effizient und prΓ€zise zu analysieren.

πŸ˜€ ✌🏼

#CyberSecurity #OpenSource #DigitalForensics #InfoSec #NetworkAnalysis #DFIR

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 5
benjojoJun 5

New Blog!

There is lots of RFC1918 space out there, yet most people use the same 10 /24 subnets

I ended up having my OOB LAN collide with someones home network a few weeks ago, and decided to find a new subnet to use that won't collide backed up with actual usage data!

Picking uncontested private IP subnets with usage data

https://blog.benjojo.co.uk/post/picking-unused-rfc1918-ip-space

π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 3
heise onlineMay 31

BKA names identity of the suspected boss of the Trickbot gang
https://www.heise.de/en/news/BKA-names-identity-of-the-suspected-boss-of-the-Trickbot-gang-10421313.html?utm_source=flipboard&utm_medium=activitypub

Posted into heise online in English @heise-online-in-english-heiseonline

BKA names identity of the suspected boss of the Trickbot gang

The Federal Criminal Police Office BKA is searching for the alleged head of the notorious "Trickbot" gang by name and face.

heise online
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²Jun 2
CapLoader 2.0 released today!
πŸ”Ž Identifies over 250 protocols in #PCAP
🎨 Define protocols from example traffic
πŸ‡Ά Extracts JA3, JA4 and SNI from QUIC
πŸ’» 10x faster user interface
https://netresec.com/?b=256dbbc
CapLoader 2.0 Released

I am thrilled to announce the release of CapLoader 2.0 today! This major update includes a lot of new features, such as a QUIC parser, alerts for threat hunting and a feature that allow users to define their own protocol detections based on example network traffic. User Defined Protocols CapLoader's[...]

Netresec
Γ—
π™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
Why does CloudFlare insist on forwarding abuse reports to hosting providers and website owners? This makes no sense if the website operators and possibly also hosting providers are the criminals you're trying to stop!
Show threadAlda VigdΓ­s1d ago
@netresec Sadly it is a part of the US DMCA and the equivalent EU regs that you need to doxx yourself as you deliver those reports.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@alda In what way would GDPR require that personal data should be shared with 3rd parties?
Show threadAlda VigdΓ­s1d ago
@netresec I've asked myself this very question several times before.
Show threadAlda VigdΓ­s1d ago
@netresec Oh sorry, I mixed up the US DMCA and the GDPR.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@alda Ah, that makes sense. thx
Show threadKevin Karhan 1d ago

@alda @netresec nah, that's a lie.

#Gandi.net also fired #KiwiFarms for hosting #CSAM and they didn't d0x those that tipped them off...
https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadKevin Karhan 1d ago

@netresec because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter.

  • #Doxxing reports and refusing to acknowledge that they can in fact yeet clients off their network is their routine #ModiOperandi.

Only once clients threatened to fire #ClownFlare did they fire KiwiFarms!

https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Cloudflare - Wikipedia

Show threadZahmbieND1d ago
@kkarhan @netresec Thanks for the reminder of why I don't use CloudFlare services (specifically the KiwiFarms situation clued me in to their systemic protection of abuse)!
I had forgotten, and included their DNS server in a powershell script with a list of DNS servers I wrote last month, that I'm now going to remove. They don't deserve my web traffic!
Show threadKevin Karhan 1d ago

@ZahmbieND @netresec personally I use multiple #DNS servers with #OpenNIC being my preference.

lists.d/dns.servers.list.tsv at main Β· greyhat-academy/lists.d

List of useful things. Contribute to greyhat-academy/lists.d development by creating an account on GitHub.

GitHub
Show threadZahmbieND1d ago
@kkarhan @netresec Awesome! Do you mind if I copy that whole list? In this situation, it's a list of servers I'm using to verify a DNS record has propagated to most of the internet.
Show threadKevin Karhan 1d ago

@ZahmbieND @netresec feel free to pull the entire repo or to just curl the entire TSV from it's Feed-URL:

https://raw.githubusercontent.com/greyhat-academy/lists.d/refs/heads/main/dns.servers.list.tsv

GitHub - greyhat-academy/lists.d: List of useful things

List of useful things. Contribute to greyhat-academy/lists.d development by creating an account on GitHub.

GitHub
Show threadkolya1d ago
@netresec abuse reports have been addressed to the hosting provider since time immemorial, because besides the website owner they're the ones who can be held legally responsible. if you want to inform somebody else, maybe use email?
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@kolya Yes, email would be much better. The problem is knowing WHERE to email an abuse complaint to CloudFlare unless you actually know someone who works at Cloudflare's security team.
Show threadKevin Karhan 1d ago

@netresec @kolya that is intentinal because #CloudFlare is a #RogueISP.

Maybe send a #fax to their Munich Office from an Internet Cafe?

https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadkolya1d ago
@netresec you're not supposed to send abuse reports to Cloudflare the same way you wouldn't send reports to an email server that an abusive email passed through on its way to you. Cloudflare consider themselves part of internet infrastructure in that way, not content providers. but this all well known.
of course you're free to question Cloudflare's status as infrastructure providers. just know that this debate has already been going on for a few years.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@kolya Then let's keep the debate going! Giving up just because nothing has changed doesn't help.
Show threadkolya1d ago
@netresec I'm not even sure what your point is: Should infrastructure providers be made liable for abuse in your opinion? (VPNs too?) Do you question Cloudflare's status as a provider?
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@kolya The main issue isn't about liability, but rather about unwillingness to take action against malicious actors using their services for illegal activities. Also, Cloudflare is much more than just a transit provider. They also run nameservers for entire botnets and C2 infrastructures.
https://infosec.exchange/@netresec/114743583440776224
π™½π™΄πšƒπšπ™΄πš‚π™΄π™² (@netresec@infosec.exchange)

@daniel@federation.network But Cloudflare do run the nameservers for many malware/botnet domains. They also forward TCP traffic to command-and-control servers from infected computers. So it's not so much about the hosted content, but rather the service they provide.

Infosec Exchange
Show threadkolya1d ago
@netresec if they're not liable, why would they wade into this, muddy their neutral stance, invest into checks and personnel, only to open themselves up to lawsuits by customers?
all throughout this discussion you sound like an activist who has precious little knowledge about this topic, but strongly held opinions. kinda weird for a self-proclaimed network expert TBH.
Show threadEva Mikkonen1d ago
@netresec Abuse form creates yet another form of abuse because anyone can enter any email as the complainer too lmao. I've seen many impersonation attempts via it
Show threadKevin Karhan 1d ago

@evamik @netresec not really.

#CloudFlare is just a #RogueISP!
https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadEva Mikkonen1d ago
@kkarhan @netresec Well if you processed shit from Cloudflare you would know
Show threadKevin Karhan 1d ago
@evamik @netresec I literally block #CloudFlare's entire ASN because they are just as shit as #DDoSguard and #StarkIndustries...
Show threadAzarilhβ“₯1d ago

@netresec This is hilariously silly.

Imagine reporting to the police someone for abusing you, while also sending a letter to the abuser telling them that you are reporting them to the police.

Show threadKevin Karhan 1d ago

@Azarilh @netresec that is intentional because #ClownFlare had no issues hosting #FSAM & #Terrorism (i.e. #KiwiFarms) until their clients told them: "It's us or them!"...

https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadAzarilhβ“₯1d ago
@kkarhan So i've seen. Concerning to say the least.
Show thread';DROP TABLE foxes;--1d ago
@netresec It actually makes perfect sense when you realise that their goal isn't actually to stop abuse...
Show threadKevin Karhan 1d ago
@DropTableFoxes @netresec precisely that!
https://infosec.space/@kkarhan/114743233834160376
Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadDaniel Ares1d ago
@netresec I think because they don't host the content themselves and they just pass the responsibility to those who do. It's basically just a "notify the hoster" contact form in disguise.
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@daniel But Cloudflare do run the nameservers for many malware/botnet domains. They also forward TCP traffic to command-and-control servers from infected computers. So it's not so much about the hosted content, but rather the service they provide.
Show threadKevin Karhan 1d ago

@netresec @daniel also #OCILLA privilegues only apply up to the point the provider is being notified.

#ClownFlare deliberately claims to not be able (which is a lie!) when OFC they are.

  • See how quickly they fired #KiwiFarms when all the right reasons didn't matter, but bigger clients yeeted #CloudFlare!

https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadabadidea1d ago
@netresec @catsalad I know someone who spitefully got her entire employer’s infrastructure off Cloudflare after she tried to report emotional abuse and serial harassment being hosted by them, and they forwarded all her contact info to the emotionally abusive serial harassers…
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²1d ago
@0xabad1dea @catsalad That's terrible, but in line with how Cloudflare handled the Kiwi Farms incident as well. Good that they took action and punished Cloudflare where it hurts (in the wallet).
Show threadKevin Karhan 1d ago

@netresec @0xabad1dea @catsalad precisely!

https://infosec.space/@kkarhan/114743233834160376

Kevin Karhan :verified: (@kkarhan@infosec.space)

@netresec@infosec.exchange because #CloudFlare is a #RogueISP who routinely hosts and supports #Cybercrime and #Terrorism actors, including #Deash and #KiwiFarms for the latter. - #Doxxing reports *and* refusing to acknowledge that they can in fact *yeet clients* off their network is their routine #ModiOperandi. Only once clients threatened to fire #ClownFlare did they fire KiwiFarms! https://en.wikipedia.org/wiki/Cloudflare#Kiwi_Farms

Infosec.Space
Show threadKevin Karhan 1d ago

@0xabad1dea @netresec @catsalad I know that case in person.

  • Actually I know multiple cases…
Show threadCatSalad🐈πŸ₯— (D.Burch) 1d ago
@0xabad1dea @netresec Holy shit!!
Show threadRootWyrm πŸ‡ΊπŸ‡¦1d ago
@netresec because they specifically want literal Nazis and terrorists to have the capability to retaliate, threaten, and murder anyone who complains about them.
There is a reason they are called NaziFlare.
Show threadKevin Karhan 1d ago
@netresec Just block he entire #CloudFlare #ASN and be done with it!