Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs

Published: 2019-09-24
Last Updated: 2019-09-24 07:45:08 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

I'm keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain 'remotewebaccess.com'. This domain, owned by Microsoft, is used to provide temporary remote access to Windows computers[2]. Microsoft allows you to use your own domain but provides also (for more convenience?) a list of available domains. Once configured, you are able to access the computer from a browser:

In my logs, just for yesterday, I found 49610 entries based on the domain 'remotewebaccess.com'. In many cases, the first part of the FQDN reveals clearly the name of the company or the business (ex: 'clinic', 'health', etc). Amongst those sites, approximately 500 were alive and reachable from anywhere.

Be careful when you use this feature because your chosen FDQN can be disclosed in certificate transparency lists and they are not only watched by blue teams!

[1] http://www.certificate-transparency.org/known-logs
[2] https://techcommunity.microsoft.com/t5/Windows-Server-Essentials-and/Configuring-and-Customizing-Remote-Web-Access-on-Windows-Server/ba-p/398904

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

YARA XOR Strings: an Update
Sep 23rd 2019
1 day ago by DidierStevens (0 comments)

Video: Encrypted Sextortion PDFs
Sep 22nd 2019
1 day ago by DidierStevens (0 comments)

Wireshark 3.0.5 Release: Potential Windows Crash when Updating
Sep 21st 2019
2 days ago by DidierStevens (0 comments)

Blacklisting or Whitelisting in the Right Way
Sep 20th 2019
4 days ago by Xme (0 comments)

Agent Tesla Trojan Abusing Corporate Email Accounts
Sep 19th 2019
5 days ago by Xme (0 comments)

Emotet malspam is back
Sep 18th 2019
6 days ago by Brad (0 comments)

Investigating Gaps in your Windows Event Logs
Sep 17th 2019
6 days ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
3 weeks ago by Adi (2 replies)

Attack
created Aug 14th 2019
1 month ago by Anonymous (0 replies)

"Network Mom ACL Analyzer" finds errors, matches, and duplicates in Cisco ACLs
created Jul 29th 2019
1 month ago by DarrellRoot (0 replies)

Worth protecting my website?
created Jun 28th 2019
2 months ago by Anonymous (3 replies)

Email Encryption Providers
created Jun 27th 2019
2 months ago by Anonymous (2 replies)

View All Forums →

Latest News

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
2 years ago by Xme (0 comments)