Security News

Malicious Process Environment Block Manipulation, (Fri, Jan 9th)

Reverse engineers must have a good understanding of the environment where malware are executed (read: the operating system). In a previous diary, I talked about malicious code that could be executed when loading a DLL[1]. Today, I&#x27ll show you how a malware can hide suspicious information related to created processes.

ISC Stormcast For Friday, January 9th, 2026 https://isc.sans.edu/podcastdetail/9760, (Fri, Jan 9th)

ISC Stormcast For Thursday, January 8th, 2026 https://isc.sans.edu/podcastdetail/9758, (Thu, Jan 8th)

Analysis using Gephi with DShield Sensor Data, (Wed, Jan 7th)

I&&#x23&#x3b;x26&#x3b;&#x23&#x3b;39&#x3b;m always looking for new ways of manipulating the data captured by my DShield sensor [1]. This time I used Gephi [2] and Graphiz [3] a popular and powerful tool for visualizing and exploring relationships between nodes, to examine the relationship between the source IP, filename and which sensor got a copy of the file. I queried the past 30 days of data stored in my ELK [4] database in Kibana using ES|QL [5][6] to query and export the data and import the result into Gephi. 

A phishing campaign with QR codes rendered using an HTML table, (Wed, Jan 7th)

Malicious use of QR codes has long been ubiquitous, both in the real world as well as in electronic communication. This is hardly surprising given that a scan of a QR code can lead one to a phishing page as easily as clicking a link in an e-mail.

ISC Stormcast For Wednesday, January 7th, 2026 https://isc.sans.edu/podcastdetail/9756, (Wed, Jan 7th)

Tool Review: Tailsnitch, (Tue, Jan 6th)

In yesterday&&#x23&#x3b;x26&#x3b;&#x23&#x3b;39&#x3b;s podcast, I mentioned "tailsnitch", a new tool to audit Tailscale configurations. Tailscale is an easy-to-use overlay to Wireguard. It is probably best compared to STUN servers in VoIP in that it allows devices behind NAT to connect directly to each other. Tailscale just helps negotiate the setup, and once the connection is established, data will flow directly between the connected devices. I personally use it to provide remote assistance to family members, and it has worked great for this purpose. Tailscale uses a "Freemium" model. For my use case, I do not need to pay, but if you have multiple users or a large number of devices, you may need to pay a monthly fee. There are also a few features that are only available to paid accounts.

ISC Stormcast For Tuesday, January 6th, 2026 https://isc.sans.edu/podcastdetail/9754, (Tue, Jan 6th)

Risks of OOB Access via IP KVM Devices, (Mon, Jan 5th)

Recently, a new "breed" of IP-based KVM devices has been released. In the past, IP-based KVM devices required dedicated "server-grade" hardware using IPMI. They often cost several $100 per server, and are only available for specific systems that support the respective add-on cards. These cards are usually used to provide "Lights Out" access to servers, allowing a complete reboot and interaction with the pre-boot environment via simple web-based tools. In some cases, these IPMI tools can also be used via various enterprise/data center management tools.

ISC Stormcast For Monday, January 5th, 2026 https://isc.sans.edu/podcastdetail/9752, (Mon, Jan 5th)

Debugging DNS response times with tshark, (Fri, Jan 2nd)

One of my holiday projects was to redo and optimize part of my home network. One of my homelab servers failed in November. I had only thrown&&#x23&#x3b;x26&#x3b;&#x23&#x3b;xc2&#x3b;&&#x23&#x3b;x26&#x3b;&#x23&#x3b;xa0&#x3b;the replacement in the rack to get going, but some cleanup was needed. In addition, a lot of other "layer 1" issues had to be fixed by re-crimping some network drops and doing general network hygiene. The dust buny kind hygiene, not so much the critical controls type. After all, I don&&#x23&#x3b;x26&#x3b;&#x23&#x3b;39&#x3b;t want things to overheat, and it is nice to see all network links syncing properly.

ISC Stormcast For Sunday, December 28th, 2025 https://isc.sans.edu/podcastdetail/9750, (Sun, Dec 28th)

ISC Stormcast For Monday, December 22nd, 2025 https://isc.sans.edu/podcastdetail/9748, (Mon, Dec 22nd)


DLLs & TLS Callbacks, (Fri, Dec 19th)

Xavier&&#x23&#x3b;x26&#x3b;&#x23&#x3b;39&#x3b;s diary entry "Abusing DLLs EntryPoint for the Fun" inspired me to do some tests with TLS Callbacks and DLLs.

ISC Stormcast For Friday, December 19th, 2025 https://isc.sans.edu/podcastdetail/9746, (Fri, Dec 19th)

Positive trends related to public IP ranges from the year 2025, (Thu, Dec 18th)

Since the end of the year is quickly approaching, it is undoubtedly a good time to look back at what the past twelve months have brought to us… And given that the entire cyber security profession is about protecting various systems from “bad things” (and we&#x27ve all correspondingly seen more than our share of the “bad”), I thought that it might be pleasant to look at a few positive background trends that have accompanied us throughout the year, without us necessarily noticing…

ISC Stormcast For Thursday, December 18th, 2025 https://isc.sans.edu/podcastdetail/9744, (Thu, Dec 18th)

Maybe a Little Bit More Interesting React2Shell Exploit, (Wed, Dec 17th)

I have already talked about various React2Shell exploit attempts we have observed in the last weeks. But new varieties of the exploit are popping up, and the most recent one is using this particular version of the exploit:

ISC Stormcast For Wednesday, December 17th, 2025 https://isc.sans.edu/podcastdetail/9742, (Wed, Dec 17th)

ISC Stormcast For Tuesday, December 16th, 2025 https://isc.sans.edu/podcastdetail/9740, (Tue, Dec 16th)