CVEs, or Common Vulnerabilities and Exposures, are IDs used to reference know vulnerabilities. These provide a description and public information provided by the parties involved in the disclosure of the vulnerability or exposure and are often used by researchers to act upon the disclosed information. While working on collecting information about specific CVEs in a simple form we came up with an small piece of code that will make that work much simpler and fast.
Active Scanning for SAP Applications
The New and Improved Attacker IP Prioritizer
The Attacker IP Prioritization (AIP) project by the Aposemat team is devoted to using the AIP Tool [3] that we have been developing to generate IPv4 Blacklists[4] using the data collected from the attacks on the honeypots in our IoT lab[9]. In this post, we will be describing the major updates to the AIP Tool that the Aposemat team has been working on, and therefore also the AIP Blacklists which we publish since they are generated using the AIP Tool.
Machine Learning Leaks and Where to Find Them
Machine learning systems are now ubiquitous and work well in several applications, but it is still relatively unexplored how much information they can leak. This blog post explores the most recent techniques that cause ML models to leak private data, an overview of the most important attacks, and why this type of attacks are possible in the first place.
Dark Nexus: the old, the new and the ugly
CYBERSEC & AI Connected Workshops: Call for Presentations
CyberSec & AI Connected is an annual conference where academic and industrial leaders come together to discuss developments at the intersection of AI and cybersecurity. 2019 brought together a stellar group of speakers from industry and academia to discuss and debate these intellectual challenges (see the 2019 conference report and speaker list at cybersecai.com). This year event will take place online and in four cities on 8th October 2020.
RHOMBUS: a new IoT Malware
Timeline of IoT Malware - Version 1
In this blog post we would like to share our first version of a Timeline of IoT Malware. We searched information for all mainstream IoT malware families using OSINT techniques, we correlated the information obtained, and attempted to provide a general high level picture of how the landscape looks like right now and how it evolved in the last years.
Upcoming April 13th Update for Aposemat AIP Blacklists
The Attacker IP Prioritization Blacklists, or AIP Blacklists, are blacklists of IP addresses generated from the attacks made on the honeypots in our IoT lab by our AIP algorithm.
IoT-23 In Depth: CTU-IoT-Malware-Capture-1-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios. In this blog post we provide an analysis of Scenario 9, CTU-IoT-Malware-Capture-60-1. This malware sample is called Hide-and-Seek. This variant is an IoT malware family capable of different types of DDoS attacks, exploits vulnerabilities in other devices, such as routers and wireless cameras, and to brute force the Telnet service across the Internet to expand its botnet. This malware makes use of the custom peer-to-peer (P2P) protocol to transfer data.
[Cyber] CiderSecurityCon Conference Wrap Up
The CiderSecurityCon conference was scheduled to take place on March 14-15, 2020. Due to the COVID pandemic however, the on-site event was cancelled. The organizing crew however, decided to re-organize a virtual version of the conference. Using Zoom with the speakers, and streaming via YouTube, they managed to pull off a very friendly and nice virtual event. Here’s our wrap up.
IoT-23 In Depth: CTU-IoT-Malware-Capture-60-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we provide an analysis of Scenario 9 [2], CTU-IoT-Malware-Capture-60-1. This malware sample is called Gafgyt. This variant is an IoT malware family capable of different types of DDoS attacks and exploits vulnerabilities in other devices, such as routers, to expand its botnet which has been seen attacking gaming servers [3].
Swiss Cyber Security Days: Conference Wrap-Up
The Swiss Cyber Security Days are a two-day event in Fribourg, Switzerland. This event brought together Cyber security researchers, consultants from technology, business, politics and the general public interested in cybersecurity from all over the world.
At the second edition of the Swiss Cyber Security Days our researcher Maria Jose Erquiaga presented the work of the Aposemat laboratory in the talk: “The Truth is out there: Hunting malware from an IoT laboratory”.
IoT-23 In Depth: CTU-IoT-Malware-Capture-8-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we provide an analysis of Scenario 13 [2], CTU-IoT-Malware-Capture-8-1. This malware sample is called Hakai and it’s a variant of Linux.Mirai/Gafgyt. Mirai is an IoT malware family capable of different types of DDoS attacks, telnet brute force attacks and it uses different sets of exploits to infect other devices, such as routers.
IoT-23 In Depth: CTU-IoT-Malware-Capture-3-1
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we show an analysis of Scenario 19 [2], CTU-IoT-Malware-Capture-3-1. This malware sample is called Muhstik and it’s a variant of the STD/Tsunami bot. The STD/Tsunami bot is an IoT malware capable of different types of DDoS attacks and it uses the IRC protocol to communicate with its C&C server.
Zeek: New IRC Feature Extractor Package
Zeek Package IRC Feature Extractor extends the functionality of Zeek network analysis framework. We create IRC Feature Extractor Zeek Package to automatically recognize IRC communication in a packet capture (pcap) file and to extract features from it. The goal for the feature extraction is to describe an individual IRC communications that occur in the pcap file as accurately as possible.
IoT-23 In Depth: CTU-IoT-Malware-Capture-9-1
A couple of weeks ago, we released the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios. In this blog post we provide an analysis of Scenario 18, CTU-IoT-Malware-Capture-9-1. This malware sample is Hajime. We analysed the binary sample and the network traffic of this scenario.
Writing a SLIPS Module
In this blogpost, we will walk through the process of developing a new SLIPS module: the VirusTotal (VT) module. This module will listen for new IP addresses and check them against VirusTotal API. VirusTotal returns detailed information on each IP, and the module will process this information and save it to the shared database.