Updated SSL scanner, and more capacity
16 September 2024
Yesterday the SSL scan software had a major update. Some certificates, especially in cloud environments, where showing trust issues that should have been no problem. With the new update, that is fixed. I hope all certificates are rescanned before the weekly reports are send out, but there might be some that still show a T grade. If you are in doubt, you can always fire a rescan from the GUI the make sure.
Also, all the infrastructure and scheduling updates of the last months are finally paying off. The scan capacity has massively increased and no scans should be running late anymore. If you do see that happening, please report it and I'll have a look at it.
OpenCTI connector for ShadowTrackr
02 September 2024
Good news for
OpenCTI users: We now have a connector available! The source is here on Github:
github.com/ShadowTrackr/opencti-connector-shadowtrackr.
If you run OpenCTI in Docker, you can also use the prebuilt container
basvanschaik/opencti-connector-shadowtrackr:1.0.2 on Dockerhub.
This first version of the connector uses the data in ShadowTrackr to reduce false positives in OpenCTI. ShadowTrackr contains a lot of data to track Cloud and CDN systems, TOR nodes, Public DNS servers en VPNs. If you run a Threat Intelligence Platform like OpenCTI, you'll be ingesting quite a few indicators that come from automatic analyses. Some of these are Cloud, VPN or CDN ip addresses that are rotated quickly. Others might be public DNS servers that malware uses to check if the internet is reachable. I've even seen GMail servers classified as "Phishing".
You don't want to block a CDN ip for 3 months if it's used by an atacker for just a day. And you don't want to block GMail servers when one bad user abused it to send out a phishing email.
You can use the ShadowTrackr OpenCTI connectors to label indicators, automatically reduce scores, and even reduce the validity date to just one day.
If you run a similar system as OpenCTI and need a plugin/connector to reduce false positives, please
let me know.
Exploited CVEs visible in GUI and PDF reports
12 August 2024
You're already familiar with the CVEs in the GUI and PDF reports. They are blue boxes with rounded corners that have a color on the left side signalling the CVSS severity: red (critical), orange (high), yellow (medium) and green (low).
As of now, a red bar on the right side signals that the CVE is exploited. If you click on the CVE, you will be shown a page that shows you where that information comes from. IT can be because the US CISA says so on their Known Exploited Vulnerability list, or because a Proof-of-Concept is publicly available. In that last case, the link to the PoC is shown too.
There's also a new report available (query: $exploited_vulnerabilities_report) that only shows you the exploitable CVEs you have for you assets. Who knows, they might already have been exploited. Patch them as soon as possible!