Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Sophos: Sophos State of Ransomware Report 2021
- Zscaler: 2022 Phishing Attacks Report | ThreatLabz
- Fortinet: An Overview of the Increasing Wiper Malware Threat
- Kaspersky: APT trends report Q1 2022
- Dragos: Software in the Supply Chain: The Newest Insider Threat to ICS Networks
- Cisco Talos: Quarterly Report: Incident Response trends in Q1 2022
- Phish Labs: Qbot Payloads Dominate Q1
- BleepingComputer: REvil ransomware returns: New malware sample confirms gang is back
- Sucuri: Hacked Website Threat Report 2021
- Meta: Meta’s Adversarial Threat Report, First Quarter 2022
- Mandiant: Breaking Down the M-Trends 2022 Report
- Google: A Year in Review of 0-days Used In-the-Wild in 2021
- Tareq Alkhatib: An Introduction To The Current Threat Landscape
- PWC: Cyber Threats 2021: A Year in Retrospect
Threat Research
- CrowdStrike: LemonDuck Botnet Targets Docker for Cryptomining Operations
- Proofpoint: This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming
- Proofpoint: Emotet Tests New Delivery Techniques
- IBM: Hive0117 Continues Fileless Malware Delivery in Eastern Europe
- ESET: A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
- Fortinet: Trends in the Recent Emotet Maldoc Outbreak
- Zscaler: Peeking into PrivateLoader
- Zscaler: Lazarus Group APT Targeting South Korean Users
- Cybereason: THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems
- Blackberry: Threat Thursday: BoratRAT
- CISA: MAR-10376640-1.v1 – IsaacWiper and HermeticWizard
- CISA: MAR-10376640-2.v1 – CaddyWiper
- Mandiant: Trello From the Other Side: Tracking APT29 Phishing Campaigns
- Mandiant: Assembling the Russian Nesting Doll: UNC2452 Merged into APT29
- SentinelOne: LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility
- The DFIR Report: Quantum Ransomware
- BushidoToken: Lessons from the Conti Leaks
- BushidoToken: Gamer Cheater Hacker Spy
- Bitdefender: RedLine Stealer Resurfaces in Fresh RIG Exploit Kit Campaign
- Cynet: Orion Threat Alert: Flight of the BumbleBee
- AdvIntel: Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
- Cluster25: The LOTUS PANDA is awake, again. Analysis of its last strike.
Tools and Tips
- Flashpoint: Definitive Guide to Ransomware: What It Is and How Your Organization Can Prevent, Detect, and Respond to a Ransomware Attack
- Fortinet: Using Emulation Against Anti-Reverse Engineering Techniques
- Symantec: Ransomware: How Attackers are Breaching Corporate Networks
- SANS ISC: Using Passive DNS sources for Reconnaissance and Enumeration
- SANS ISC: MITRE ATT&CK v11 – a small update that can help (not just) with detection engineering
- Red Canary: Better know a data source: Access tokens (and why they’re hard to get)
- Digital Shadows: The Power Of Data Analysis In Threat Intelligence – Part 2: Machine Learning
- Mandiant: Annotating Malware Disassembly Functions Using Neural Machine Translation
- PAN Unit42: Defeating BazarLoader Anti-Analysis Techniques
- NVISO Labs: Analyzing VSTO Office Files
- SANS A Primer on Neurodiversity in Cybersecurity
- Atomic Matryoshka: Emotet DLL Part 1: Static Analysis
- Tony Lambert: Shortcut to Emotet, an odd TTP change
- OALabs: Emotet 64-bit: Initial Triage of new Emotet 64-bit sample
- Andy Piazza: Goldilocks CTI: Building a Program That’s Just Right
- Katlyn Gallo: Analyzing ATT&CK Matrix Gaps & Proposing Mitigations
- Microsoft: GitHub – microsoft/msticpy: Microsoft Threat Intelligence Security Tools
- Flaksec: Blue Teams have a burnout issue. Here is why and what can be done about it
- Binary Defense: Detecting Ransomware’s Stealthy Boot Configuration Edits
- amrandazz: cloud-threat-detection: to conceptualize the attack surfaces in the cloud and theory craft the types of detections that can be applied
Breaches, Government, and Law Enforcement
- Flashpoint: Russia-Ukraine War, Money Laundering, and Cybercrime
- Recorded Future: The Role of Civil Society and the United Front in China’s Evacuation From Ukraine
- Microsoft: The hybrid war in Ukraine – Microsoft On the Issues
- Check Point: Behind the Curtains of the Ransomware Economy – The Victims and the Cybercriminals
- Krebs: Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code
- Trustwave: Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine
- Data Breach Today: India to Set 6-Hour Breach Reporting Requirement
- Wired: Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site
- Harrison Van Riper: Russia’s cyber-supported invasion of Ukraine: An Intelligence Assessment
Vulnerabilities and Exploits
- Fortinet: Using EPSS to Predict Threats and Secure Your Network
- Malwarebytes: The top 5 most routinely exploited vulnerabilities of 2021
- SANS ISC: A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809
- CISA: Vulnerability Summary for the Week of April 18, 2022
- CISA: 2021 Top Routinely Exploited Vulnerabilities
- Microsoft: Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn