Summary
— Welcome to Security Soup’s continuing coverage of infosec highlights from the previous week. The highlights include a collection of links relating to news, tools, threat research, and more! The focus trends toward DFIR and threat intelligence, but other hacking-related topics are included as well. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!
Industry News and Reports
- Year-End Review: Business Email Compromise in 2018
- Talos Threat Source (April 18): Newsletter
- 2019 Phishing Trends & Intelligence Report: The Growing Social Engineering Threat
- APT34 (aka Oil Rig) — Tool Leak, context, and analysis
Breaches, Government, and Law Enforcement
- Microsoft reveals breach affecting webmail users
- Coverages of WiPro Breaches:
- Asynchronous Warfare, Part 2: Strategy and Phases
- Marcus Hutchins pleads guilty to malware charges
Tools and Tips
- A few Ghidra tips for IDA users, part 2 – strings and parameters
- Merlin v0.7.0 — an updated version of the HTTP/2 post-exploitation framework
- How To: get started with Cobalt Strike
- Reverse Engineering Reference Manual (beta)
- ripgrep (rg) — a line-oriented search tool that recursively searches your current directory for a regex pattern.
- Revisiting TTPs: TimeStomper
- Four tools to consider if you’re adopting ATT&CK
- BlueCommand: a dashboard and tooling front-end for PowerShell Empire
- Basic OPSEC Tips & Tricks for OSINT researchers
- Ursnif beacon decryptor
- Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download
- Analyzing Emotet with Ghidra — Part 1
- Revisiting Known Perps: Behavioral Profiling for Continuous Monitoring of Threat Actors (Video)
Threat Research – Malware, Phishing, and other campaigns in the wild.
- Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection
- DNS Hijacking Abuses Trust In Core Internet Service
- Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic
- Silence Group Playbook
- From .tk Redirects to PushKa Browser Notification Scam
- Emotet Makes Good Websites Go Bad – Uniden Edition
- Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operatio
- Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec
- Top Stories: Malware in Moscow and Tal Mahal Spyware
- New HawkEye Reborn Variant Emerges Following Ownership Change
- FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
- Silence Group Playbook
- Flash Update: Emotet Gang Distributes First Japanese Campaign
- The Rising Threat of Business Email Compromise (BEC) and How to Stay Safe
- Malware Sample Delivered Through UDF Image
- New HawkEye Reborn Variant Emerges Following Ownership Change
- PreAMo – A Clicker Campaign found on Google Play
- Funky malware format found in Ocean Lotus sample
- Predator the Thief: New Routes of Delivery
Vulnerabilities and Exploits
- New zero-day vulnerability CVE-2019-0859 in win32k.sys
- VPN applications insecurely store session cookies
- “Zero-day”(XXE) Injection Vulnerability in Internet Explorer
- http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
- https://blog.trendmicro.com/trendlabs-security-intelligence/zero-day-xml-external-entity-xxe-injection-vulnerability-in-internet-explorer-can-let-attackers-steal-files-system-info/
- https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html
- https://mobile.twitter.com/HaifeiLi/status/1117523997313224704?s=19