Archive

All blog posts in chronological order

March 2018

InQuest Provides Zero-Day Coverage Against Advanced Threats via Partner Exodus Intel - Threat intelligence is only as good as the sources that drive it, which is why we integrate Zero-Day exploitation coverage into our product via research from Exodus Intelligence. Going beyond public vulns and in-the-wild samples, this level of coverage affords protection against new TTPs, long before they become part of the known threat landscape.
Defense in Depth: Detonation Technologies - We believe that any security stack, in essence, follows the Swiss cheese model. With each slice of cheese representing a security product, and each hole representing some bypass or evasion. Following best practices and employing a Defense-in-Depth model results in a stacking of these slices, each additional stack reducing the exposure window and minimizing the overall risk to a computing environment.

February 2018

An Introduction to Deep File Inspection - Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. This allows heuristic analysis to better determine the intent by analysis of the file contents (containers, objects, etc.) as an artifact.
Adobe Flash MediaPlayer DRM Use-After-Free Vulnerability - On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 28.0.0.137 and earlier. As of February 6th, Adobe has patched the issue in version 28.0.0.161, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.
InQuest Deployed by DISA in the Joint Regional Security Stack (JRSS) - Defense Information Systems Agency (DISA) selects InQuest as provider of advanced file and session analytics for Joint Regional Security Stacks (JRSS), a high-volume and mission critical environment.

October 2017

Microsoft Office DDE Vortex Ransomware Targeting Poland - Unfortunately it appears that ransomware authors are now starting to employ the use of Microsoft Office DDE malware carriers. This post will likely be our last on DDE dissection and covers the delivery of Vortex ransomware, seemingly targeted towards Poland.
Microsoft Office DDE Freddie Mac Targeted Lure - In reviewing the results of out Microsoft Office DDE malware hunt, we came across an interesting sample targeted to Freddie Mac employees. This post dives into the dissection of this well put together sample.
Microsoft Office DDE SEC OMB Approval Lure - In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
Microsoft Office DDE Macro-less Command Execution Vulnerability - On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.