Sharepoint vulnerability exploited in the wild

March 26, 2020 | Chris Doman
Chris Doman

Chris Doman

Threat Engineer

I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal ( in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.

March 26, 2020 | Chris Doman

Sharepoint vulnerability exploited in the wild

The CVE-2019-0604 (Sharepoint) exploit and what you need to know AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604). One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom. An earlier report by the Canadian Cyber Security Centre…

December 4, 2019 | Chris Doman

The “Great Cannon” has been deployed again

Summary The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the…

November 21, 2019 | Chris Doman

OTX is a Free STIX/TAXII Feed

Introduction The Open Threat Exchange (OTX) team has been hard at work and we wanted to update everyone on some new functionality that we believe will be very useful to you. We're happy to announce that Alienvault OTX is now a STIX/TAXII feed/server.  What Does That Mean? What is STIX/TAXII? STIX provides a formal…

March 6, 2019 | Chris Doman

Internet of Termites

Termite is a tool used to connect together chains of machines on a network. You can run Termite on a surprising number of platforms including mobile devices, routers, servers and desktops. That means it can be used used to bounce a connection between multiple machines, to maintain a connection that otherwise wouldn’t be possible: Termite is a useful…

October 8, 2018 | Chris Doman

Delivery (Key)Boy

Introduction Below we’ve outlined the delivery phase of some recent attacks by KeyBoy, a group of attackers believed to operate out of China. They were first identified in 2013 targeting governments and NGOs in South East Asia. Their primary targeting continues to this day, though they have also been known to target more diverse victims such as the energy…

June 22, 2018 | Chris Doman

Malicious Documents from Lazarus Group Targeting South Korea

By Chris Doman, Fernando Martinez and Jaime Blasco We took a brief look at some documents recently discussed and reviewed by researchers in South Korea over the past week. The malware is linked to Lazarus, a reportedly North Korean group of attackers. One malicious document appears to be targeting members of a recent G20 Financial Meeting, seeking coordination of the…

June 11, 2018 | Chris Doman

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

Written By Chris Doman and Jaime Blasco Introduction Recently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…

February 15, 2018 | Chris Doman

North Korean Cyber-Attacks and Collateral Damage

WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars. There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn…

January 30, 2018 | Chris Doman

OTX Trends Part 3 - Threat Actors

By Javvad Malik and Chris Doman This is the third of a three-part series on trends identified by AlienVault in 2017. Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX. Which threat actors should I be most concerned about? Which threat actors your organization should be most concerned…

January 23, 2018 | Chris Doman

OTX Trends Part 2: Malware

By Javvad Malik and Christopher Doman This is the second of a three part series on trends identified by AlienVault. Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors. Which malware should I be most concerned about? Most security incidents that a…

January 16, 2018 | Chris Doman

OTX Trends Part 1- Exploits

By Javvad Malik and Christopher Doman Introduction Every year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform. We have combined these two data-sets to help…

January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea. The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…