Summary
— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!
Industry News and Reports
- FBI’s IC3 Report: Losses from BEC Scams to Reach $1.2 Billion
- Proofpoint — 2019 State of the Phish Report
- Malwarebytes Labs — Cybercrime Tactics and Techniques Q1 2019
- The 2019 Trustwave Global Security Report
- Cisco Talos — Threat Roundup for April 19 to April 26
- The Economy of Credential Stuffing Attacks
- Metrics and Maturity: Benchmarking Your Cyber Exposure Over Time
Tools, Tips, and Other Resources
- Threat Hunting Using Yeti and Elastic Stack
- Deobfuscating APT32 Flow Graphs with Cutter and Radare2
- Supercharged certificate monitoring with Faust
- Microsoft Defender ATP API updates
- A few Ghidra tips for IDA users, part 2 – strings and parameters
- Analyzing Emotet with Ghidra — Part 2
- Termshark: A terminal UI for tshark, inspired by Wireshark
- Windows EVTX Samples: a container for windows events samples associated to specific attack and post-exploitation techniques.
- The most common OAuth 2.0 Hacks
- Munin: an online hash checker utility that retrieves valuable information from VirusTotal and other sources
- A look at Stomped VBA code and the P-Code in a Word Document
- MalConfScan: a Volatility plugin that extracts configuration data of known malware.
- Getting in the Zone: dumping Active Directory DNS using adidnsdump
- SharpAdidnsdump: a c# implementation of Dirk-jan Mollema’s adidnsdump research
- How You Can Set up Honeytokens Using Canarytokens to Detect Intrusions
- How to Speed Up Incident Response: Collect Artifacts Faster
- VMware Security Hardening Guides
- Windows Process Injection: WordWarping, Hyphentension, AutoCourgette, Streamception, Oleum, ListPlanting, Treepoline
- Active Directory Attacks
- Autopsy v4.11.0 is officially released for SleuthKit
Threat Research – Malware, Phishing, and other Campaigns in the Wild
- FINTEAM: Trojanized TeamViewer Against Government Targets
- Analyzing C/C++ Runtime Library Code Tampering in Software Supply Chain Attacks
- CARBANAK Week: FireEye week-long analysis series on Carbanak Malware
- https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html
- https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html
- https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html
- https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html
- Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts
- Malicious VBA Office Document Without Source Code
- Rules to Protect Against Azure Blog Phishing in Outlook 365
- DNSpionage brings out the Karkoff
- A Malicious Sight in Google Sites
- APT34: webmask project
- NovaLoader, yet another Brazilian banking malware family
- Back (Again): Uncovering the Latest Qbot Banking Trojan
- Threat actors abuse GitHub service to host a variety of phishing kits
- Brand Impersonation Attacks on Law Firms Harm Clients and Cost Millions
- RadRAT: An all-in-one toolkit for complex espionage ops
- Emotet Adds New Evasion Technique and Uses Connected Devices as Proxy C&C Servers
- JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan
- Beapy: Cryptojacking Worm Hits Enterprises in China
- Beapy Cryptominer Targets Corporate Networks
- Takedowns and Adventures in Deceptive Affiliate Marketing
- Five High-Profile Watering Hole Attacks Highlight Importance of Network Security
- Threat Actor TA505 Targets Financial Enterprises Using LOLBINS and a New Backdoor
- BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat
- Bitcoin: The Next Evolution in BEC Cash Out Methods?
- Dissecting Emotet’s network communication protocol
Breaches, Government, and Law Enforcement
- Operation ShadowHammer: a high-profile supply chain attack
- Doctors’ Management Service hit with GandCrab ransomware attack compromising patient data
- Ransomware attack hits Cleveland Airport crippling email services and information screens
- U.S. charges American engineer, Chinese businessman with stealing GE’s trade secrets
- Former State Department Employee Pleads Guilty to Conspiring with Foreign Agents
- Docker Hub hack exposed data of 190,000 users
- https://www.zdnet.com/google-amp/article/docker-hub-hack-exposed-data-of-190000-users/?__twitter_impression=true
Vulnerabilities and Exploits
- Detailed Analysis of macOS Vulnerability CVE-2019-8507
- Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
- Vulnerability Spotlight: Symantec Endpoint Protection kernel memory information disclosure vulnerability
- Unpatched Vulnerability Alert – WebLogic Zero Day
- Oracle WebLogic Affected by Unauthenticated Remote Code Execution Vulnerability (CVE-2019-2725)
- AESDDoS Botnet Malware Exploits CVE-2019-3396 to Perform Remote Code Execution, DDoS Attacks, and Cryptocurrency Mining
- Threats and Vulnerabilities: What’s Old is New Again
- Vulnerable Confluence Servers Get Infected with Ransomware, Trojans
- Pillaging Passwords from Service Accounts
- SMBdoor: a new backdoor proof of concept (POC) inspired by the NSA’s leaked DoublePulsar
- RAR Files and ACE Exploit CVE-2018-20250
- Flashpoint Remediation of 0-Day Exploit on their Public-Facing Website