Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: yellow
Updated: 17 min 8 sec ago

"Stealth" Update for Flash from Adobe, (Sat, Jan 24th)

Sat, 01/24/2015 - 18:58

[Update] Adobe now updated its advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobes website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1]http://www.adobe.com/software/flash/about/

[2]http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3]http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Flash 0-Day: Deciphering CVEs and Understanding Patches, (Fri, Jan 23rd)

Sat, 01/24/2015 - 18:30

(updated with Jan 24thupdate)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version">yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Infocon change to yellow for Adobe Flash issues, (Fri, Jan 23rd)

Fri, 01/23/2015 - 10:05

We have decided to change the Infocon 1to yellow in order to bring attention to the multiple recentAdobe Flash Player vulnerabilities2 that are being actively exploited. There have been 3 patchedvulnerabilities thathave an update and applying themis highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Outof Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infoconfrom now until Monday.

1-https://isc.sans.edu/infocon.html

2-https://isc.sans.edu/forums/diary/Flash+0Day+Deciphering+CVEs+and+Understanding+Patches/19223/

3-">Adrien de Beaupr">My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.6.5 is available, (Fri, Jan 23rd)

Fri, 01/23/2015 - 06:18
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Vulnerabilities Happen: Input Validation Problems, (Fri, Jan 23rd)

Fri, 01/23/2015 - 05:29

We would like to thank Richard Ackroyd of RandomStormfor reporting a critical input validation error in our site to us. As we have done before, here is how it happened so hopefully you can learn from it as well.

Lets start with a bit of background. Our site deals a lot with IPv4 addresses. Most of the time, we store IPv4 addresses as a string. I know this isnt the most efficient way, but well, that decision goes back to the beginning. To make sorting and indexing simpler, we pad IPv4 addresses with zeros, and you may have seen this on the site. 192.0.2.1 becomes 192.000.002.001.

Originally, I used a simple trick to validate IP addresses. I just converted the IP address to its long integer format, and then back to a string. This guarantees that you end up with a valid IP address. Later, we started using more of the standard FILTER functions in php to make some input validation easier, and modified the IPv4 validation function to use it. At the same time, to make the code a bit simpler,we also added an unpad function to fix up the IP address by removing extra 0s first.

Here is a quick view at the vulnerable code:

if ( is_ipv4($sIPAddress) { ... use $sIPAddress ...} else { ... display error ...}function is_ipv4($sValue) { if ( filter_var($sValue,FILTER_VALIDATE_IP,FILTER_FLAG_IPV4) ) { }}function unpadip($sIP) { $aIP=explode(. if ( sizeof($aIP) return sprintf(%d.%d.%d.%d}

So why is this wrong? The big problem is that I am modifying the value (unpad) before validating it, and then use the unmodified value, not the one I modified. At first, that doesnt look too bad in this case. But turns out that the unpad function does more then just remove extra 0s. Any other non-numeric character is removed. E.g. try:

printf(%d,123 this is an exploit

and you will get 123 back. That is part of the point of %d. The end result was that we validated a value that was cleansed by unpad, but then used the dirty value which still included the exploit code.

Our solution for now is twofold:

- add a bit more input validation to the unpad function, just in case we use it unsafely in other parts of the code
- remove the unpad from the is_ipv4 validation function.

The ultimate solution would be to change how we store IPv4 addresses and store them as long integer, which is much more efficient, but will take some time as we got a lot of code that needs to read/write from those tables. For IPv6 we use two 64 bit numbers (BIGINT in mysql) which works very well as it splits network and interface part.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 23rd 2015 http://isc.sans.edu/podcastdetail.html?id=4325, (Fri, Jan 23rd)

Thu, 01/22/2015 - 19:03
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OOB Adobe patch!, (Thu, Jan 22nd)

Thu, 01/22/2015 - 10:50

Adobe has released an advisory regarding an out of band security update for Flash, APSB15-021. It is a fix forCVE-2015-0310, which is reserved but for which there is little additional information at the NIST or Mitre sites. Most likely this is the previously reported 0day 2. There are reports that this vulnerability is actively being exploited, and that it is part of a crimewarekit. This would be a highly recommended patch! If you have the Adobe Flash Player installedapply the update. All versions on all platforms appear to be vulnerable.

1-http://helpx.adobe.com/security/products/flash-player/apsb15-02.html

2- https://isc.sans.edu/forums/diary/Flash+0Day+Exploit+Used+by+Angler+Exploit+Kit/19213/

Cheers,
Adrien de Beaupr
Intru-shun.ca Inc.
My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, January 22nd 2015 http://isc.sans.edu/podcastdetail.html?id=4323, (Thu, Jan 22nd)

Wed, 01/21/2015 - 21:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Flash 0-Day Exploit Used by Angler Exploit Kit, (Wed, Jan 21st)

Wed, 01/21/2015 - 10:07

The Angler exploit kit is a tool frequently used in drive-by download attacks to probe the browser for different vulnerabilities, and then exploit them to install malware. The exploit kit is very flexible and new exploits are added to it constantly.

However, the blog post below shows how this exploit kit is currently using an unpatchedFlash 0-day to install malware. Current versions of Windows (e.g. Window 8 + IE 10) appear to be vulnerable. Windows 8.1, or Google Chrome do not appear to be vulnerable.

This is still a developing story, but typically we see these exploits more in targeted attacks, not in widely used exploit kits. This flaw could affect a large number of users very quickly. Please refer to the original blog for details.

[1] http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Oracle Critical Patch Update for Q1 2015 (Includes Java Updates), (Wed, Jan 21st)

Wed, 01/21/2015 - 09:51

Oracle released its critical patch update. This quarters CPU fixes a total of 169 vulnerabilities across the entire Oracle product portfolio.

For end users, Java is probably the most important part of this update. This time around, 13 Java vulnerabilities are patched that allow remote code execution.

None of the vulnerabilities in Oracle, the flagship database product, are remotely exploitable without authentication. But in particular one bug got some press as it exposes a rather simple configuration issues in Oracles database allowing for privilege escalation within the database.

Yesterday, we talked about privilege escalation in Linux. But similar problems exist in databases. Your end-user application (often a web application) should only connect back to the database using a user with carefully tailored permissions. However, all users need to have limited access to some system tables, for exampleto be able to find tables they have access to.

In this case, the table in question is called DUAL. This table has only one column, and one value: X. Itsysdate isnt an actual column, but by using the DUAL table we can make this look like a normal SQL query.

Given this, the DUAL table doesnt really need any indexes. In particular since it only contains one value. Nevertheless, Oracle allows all users to create indexes on this table. For the non-oracle DBA, this may not sound that bad. But Oracle has a neat feature to use user defined functions to create indexes. This can lead to more efficient indexes if specific functions are used to query the table.

An attacker can nowdefine a function that would give the attacker DBA privileges, and then ask the database to create an index using this function. By creating the index, the function that grants DBA privileges is executed.

[1]http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Finding Privilege Escalation Flaws in Linux, (Tue, Jan 20th)

Wed, 01/21/2015 - 06:27

We often tend to ignore privilege escalation flaws. In order to take advantage of these vulnerabilities, an attacker first needs to have access to the system itself. But in particular for systems that many users have access to, it can be difficult to monitor them all for compromised credentials. Systems with web servers often suffer from web application flaws that can be used to execute code as the web server, which then can be used to gain root access via a privilege escalation flaw.

From a defensive point of view, the problem with privilege escalation flaws is that there are so many of them, and they are not limited to bugs that can be patched. Frequently configuration mistakes can give rise to privilege escalation flaws. Auditing your system for these problems should be done regularly to avoid privilege escalation flaws.

For example, a user may create a cron job, and then have root execute the cron job, but the file remains writable by the user. Someone gaining access to the system as this user could now easily escalate privilegesby modifying the script.

Luckily, there are a number of scripts that make it easier for us to find these problems:

unix-privesc-check: Very comprehensive script that works on many Unix flavors, not just Linux. Read the ToDo section at the beginning as it lists other areas that should be checked. The output is send to stdout, and you better pipe it to a file as it is very verbose even in default mode.

http://pentestmonkey.net/tools/audit/unix-privesc-check

LinEnum: A more limited script as far as privilege escaltion goes, but it does summarize other configuration options nicely.

https://github.com/rebootuser/LinEnum

linuxprivchecker: Similar to LinEnum in that it summarizes system configuration information, not just privilege escalation issues.

http://www.securitysift.com/download/linuxprivchecker.py

And if you prefer to take a more manual approach, or if you need to verify some of the results produced by the scripts, check this very nice cheat sheet:

http://www.rebootuser.com/?p=1623

Any tools I missed? Please let me know!

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 21st 2015 http://isc.sans.edu/podcastdetail.html?id=4321, (Wed, Jan 21st)

Tue, 01/20/2015 - 21:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, January 20th 2015 http://isc.sans.edu/podcastdetail.html?id=4319, (Tue, Jan 20th)

Mon, 01/19/2015 - 20:24
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Traffic Patterns For CryptoWall 3.0, (Mon, Jan 19th)

Mon, 01/19/2015 - 08:39

This is a guest diary submitted by Brad Duncan.

Various sources have reported version 3 of CryptoWall has appeared [1] [2] [3]. This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them.

I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit.

If youre registered with Malwr.com, you can get a copy of this CryptoWall 3.0 sample at:

https://malwr.com/analysis/MDA0MjIzOGFiMzVkNGEzZjg3NzdlNDAxMDljMDQyYWQ/

Lets look at the traffic from my infected VM:

In this example, the infected VM checked ip-addr.es to determine its public IP address. Then the VM communicated with a server at 194.58.109.158 over a non-standard HTTP port. In this case it was port 2525, but I saw different ports in other hosts Ive infected with this sample.

Finally, the user viewed a web page for the decrypt instructions at 5.199.166.220.

When monitoring the infection traffic with Security Onion [5], we see an EmergingThreats alert for CryptoWall check-in [4].

The decryption instructions specify the following bitcoin account for a ransom payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy

Heres what the user would see on their desktop screen:

----------

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2015/01/guess-whos-back-again-cryptowall-30.html
[2] http://www.bleepingcomputer.com/forums/t/563169/after-a-brief-hiatus-malware-developers-release-cryptowall-3/
[3] https://forums.malwarebytes.org/index.php?/topic/163485-cryptowall-30/
[4] http://doc.emergingthreats.net/2018452
[5] http://blog.securityonion.net/p/securityonion.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, January 19th 2015 http://isc.sans.edu/podcastdetail.html?id=4317, (Mon, Jan 19th)

Sun, 01/18/2015 - 16:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Strange & Random GET PHP Queries, (Sun, Jan 18th)

Sun, 01/18/2015 - 15:36

Over the past few months, I have been observing strange web queries against my honeypot where the pattern is always the same, a combination of two letters but each instance using two different letters. The pattern starts with pair of two letters, then three by dropping the last letter and last ending with the remainder 2 letters. Here are some examples:

/ewew/ewe/ew.php
/fcfc/fcf/fc.php
/bpbp/bpb/bp.php
/wcwc/wcw/wc.php
/ovov/ovo/ov.php

I have also been regularly getting requests for the Linksys CGI script /tmUnblock.cgi (GET/POST) associated with TheMoon Linksys worm [1], Wordpress login /wp-login.php [2], Coldfusion administrator page /CFIDE/administrator as well a multitude of other stuff listed below.

/cgi-bin/test-cgi
/user/soapCaller.bs
/admin.php
/MyAdmin/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/pma/scripts/setup.php
/a2billing/customer/javascript/misc.js

This last example is URL encoded:

/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E

Which equate to: [3]

-d allow_url_include=on %2Dd safe_mode=off -d suhosin.simulation=on -d disable_functions= -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redi%72ect=0 -d cgi.redirect_status_env=0 -n

[1] https://isc.sans.edu/forums/diary/More+Details+About+TheMoon+Linksys+Worm/17669
[2] https://isc.sans.edu/forums/diary/Strange+wordpress+login+patterns/19191/
[3] http://www.asciitohex.com

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Shellshock keeps on giving!, (Fri, Jan 16th)

Fri, 01/16/2015 - 10:43

It has been 12 years since the SQL Slammer worm plagued the Interwebs .. come to think of it, that was also in January. But thats not the point :). Today, twelve years later, there are amazingly still infected Slammer drones out there, and if you are running a Honeypot on udp/1434, I promise you wont have to wait all that long until an ancient piece of malware history comes a-knockin.

Odds are that Shellshock exploits wont have the same stamina, primarily because the Shellshock attack is not self-contained wormy in one packet, but rather usually pushed by previously Shellshocked bots that scan for targets. But it still looks like Shellshock scanning and bot-pushing will now be background noise for the foreseeable future, because there is a surprising number of systems out there that remain vulnerable. Systems that our sensors then pick up as being part of a Shellbot army. Investigating one of these bots recently, I discovered that it was a Slackware installation from 2007 and appeared to be a remote weather sensor, complete with webcam that showed the (sadly, very green) ski slope below. I managed to track down the owner, a hotel in Switzerland, who were unaware that their weather station contained a computer. If our DShield logs are any indication, there are A LOT of these devices (and hotels, etc ..) out there.

Here is what you can do to help." />

The address in the red box - 76.12.A.B in this case - is from where you are being scanned. This does not mean that the originator is evil. Most likely, it is just another weather station or deep fryer where the owner is unaware. So if you contact them, be gentle, and prepared to explain a lot :)

The address in the blue box - 91.142.C.D in this case - is from where the bot code is being pulled. This is most commonly a hacked web server, or a throwaway free website hosting account. In this case, you can locate the hoster via Whois, and make use of their Abuse contact address to let them know. If you include a log snippet like shown above, most hosters will respond and take the bot code down.

A third thing that you can do is download the bot code (carefully :) to your machine, by going to http://91.142.C.D/img.txt in this case. I am not a lawyer (so dont take my word for it) but since the activity is clearly malicious, and since your computer was instructed by the scanning bot to download this code, I would say that doing so on your own is okay. The bot code itself is not very interesting, but the ones weve seen so far are usually written in Perl, and contain a hard-coded IP address used for the CommandControl. Again, you can determine the hoster of that CC address via Whois, and let them know.

The latter two measures will though leave the original victim infected and vulnerable. So .. if you have the time and patience, and it looks like the scanning host is in a residential or small business address range (think DSL), then it might be worthwhile to try and contact the original victim (76.12.A.B above), and enlighten them about all the unexpected things in life that contain a computer these days.

Another word of caution: Obviously, a bot that is scanning you for the presence of Shellshock is most likely vulnerable to Shellshock itself, and missing a plethora of other patches. You might be tempted to poke back at the system, and use the Shellshock conduit on your own to determine what is inside. Doing so though is hacking, and illegal. Owners of hacked systems do not appreciate getting hacked once more by researchers, no matter how allegedly well-intentioned the researcher is. For the hotel weather station that I mention above, I used a passive combination of reverse DNS, Google, archive.org, Netcraft and Whois to determine what it was, and whom to contact.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 16th 2015 http://isc.sans.edu/podcastdetail.html?id=4315, (Fri, Jan 16th)

Thu, 01/15/2015 - 17:29
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

tcp/6379 trolling - Redis NoSQL? Or something else?, (Thu, Jan 15th)

Thu, 01/15/2015 - 16:39

DShield sensors report an uptick of scanning for tcp/6379, currently mostly originating from 61.160.x and 61.240.144.x, which are both CHINANET/UNICOM. tcp/6379 is the default port of the Redis NoSQL database (http://redis.io) and Redis by default accepts connections from any">Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet

which makes us wonder if the service scanned for in this case is indeed Redis, or something else?" />

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Strange wordpress login patterns, (Thu, Jan 15th)

Thu, 01/15/2015 - 15:48

Reader Robert came today with a very interesting situation. He noticed odd wordpress login patterns:

T 31.47.254.62:51020 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 131.
Content-Type: application/x-www-form-urlencoded.
.
log=adminpwd=admin%21%21%21wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">T 62.210.207.146:43322 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 113.
Content-Type: application/x-www-form-urlencoded.
.
log=ahenrypwd=Ahenry%24%24%24wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">T 109.199.82.5:46902 - +http://www.google.com/bot.html).
Host: **redacted**
Accept: */*.
Cookie: wordpress_test_cookie=WP+Cookie+check.
Content-Length: 110.
Content-Type: application/x-www-form-urlencoded.
.
log=natemcpwd=Johns666wp-submit=Log+Inredirect_to=http://**redacted**/wp-admin/tes1a0">">tes1a0 in the Wordpress 4.1 installation download and its not part of the code. It">Have you seen this kind of wordpress attempts? If yes, let us know via Contact form. I will update the diary with the information gathered.

Manuel Humberto Santander Pelez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts