Summary

— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!

Industry News, Reports, and Miscellany

Dragos 2018 Year in Review Webinar Recap: Lessons Learned from Threat Hunting and Responding to Industrial Intrusions
- https://dragos.com/blog/industry-news/dragos-2018-year-in-review-webinar-recap-lessons-learned-from-threat-hunting-and-responding-to-industrial-intrusions/
APT trends report Q1 2019
- https://securelist.com/apt-trends-report-q1-2019/90643/
Asynchronous Warfare part 3: How Conventional Strategies and Tactics Are Applied to Cyberwarfare
- https://www.lastline.com/blog/asynchronous-warfare-part-3-how-conventional-strategies-and-tactics-are-applied-to-cyberwarfare/
Quarterly Impostor Email Attacks Aimed at Financial Services Organizations Increased More than 60% Year-Over-Year
- https://www.proofpoint.com/us/corporate-blog/post/quarterly-impostor-email-attacks-aimed-financial-services-organizations
USB Attacks: How Do You Counteract Curiosity?
- https://www.proofpoint.com/us/security-awareness/post/usb-attacks-how-do-you-counteract-curiosity
Another Marketplace Bites the Dust
- https://www.fidelissecurity.com/threatgeek/another-marketplace-bites-dust
How Stolen Ecommerce Data is Sold on the Darknet
- https://blog.sucuri.net/2019/05/how-stolen-ecommerce-data-is-sold-on-the-darknet.html
Two sides of IT vs. OT Security and ICS Security Operations
- https://dragos.com/blog/industry-news/two-sides-of-it-vs-ot-security-and-ics-security-operations/
Interview with Dmitri Alperovitch Offers Insights From the Global Threat Report
- https://www.crowdstrike.com/blog/dmitri-alperovitch-ismg-interview-global-threat-report-insights/
Vietnam ‘on the edge’ of becoming a mid-tier cybercrime hub
- https://www.zdnet.com/google-amp/article/vietnam-on-the-edge-of-becoming-a-mid-tier-cybercrime-hub/?__twitter_impression=true
A hacker is wiping Git repositories and asking for a ransom
- https://www.zdnet.com/google-amp/article/a-hacker-is-wiping-git-repositories-and-asking-for-a-ransom/?__twitter_impression=true

Tools and Tips

Introduction to KAPE
- https://isc.sans.edu/forums/diary/Introduction+to+KAPE/24896/
Webcast: Attack Tactics 5 – Zero to Hero Attack
- https://www.blackhillsinfosec.com/webcast-attack-tactics-5-zero-to-hero-attack/
Munin is a online hash checker utility that retrieves valuable information from various online sources
- https://github.com/Neo23x0/munin
Plaso Filtering Cheat Sheet — This free resource will help you learn filtering tips and techniques when creating a forensics timeline with Plaso.
- https://digital-forensics.sans.org/media/Plaso-Cheat-Sheet.pdf?utm_medium=Social&utm_source=Twitter&utm_content=PALSO+VMR&utm_campaign=DFIR+CheatSheet
The only PowerShell Command you will ever need to find out who did what in Active Directory
- https://evotec.xyz/the-only-powershell-command-you-will-ever-need-to-find-out-who-did-what-in-active-directory/
Sean Metcalf (@PyroTek3): BSidesCharm talk “You Moved to Office 365, Now What?” slides & video posted. Key Microsoft Cloud (Azure AD & Office 365) security controls and recommendations.
- https://twitter.com/PyroTek3/status/1122482892175810560
OSINT-Search – Useful For Digital Forensics Investigations Or Initial Black-Box Pentest Footprinting
- https://amp.kitploit.com/2019/04/osint-search-useful-for-digital.html?amp=1
Spotlight: Threat Hunting YARA Rule Example
- https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Tony Lambert (@ForensicITGuy): Detecting msiexec.exe with http:// or https:// in the command line is a good medium-confidence hunt.
- https://twitter.com/ForensicITGuy/status/1123036746097274880?s=19
Malware sandbox detection and evasion
- https://medium.com/@guelfoweb/malware-sandbox-detection-and-evasion-97b3a441f2a3
Designing Peer-To-Peer Command and Control
- https://posts.specterops.io/designing-peer-to-peer-command-and-control-ad2c61740456
The Difference Between URLs, URIs, and URNs
- https://danielmiessler.com/study/url-uri/
Human Honeypots: I Make Friends (and So Should You)
- https://tisiphone.net/2019/05/03/human-honeypots-i-make-friends-and-so-should-you/amp/?__twitter_impression=true
EvtxECmd –n the first beta version of Eric Zimmerman’s Windows Event Log (evtx) parser.
- https://binaryforay.blogspot.com/2019/04/introducing-evtxecmd.html
Mastering NSA’s Ghidra Reverse Engineering Tool
- https://github.com/0xAlexei/INFILTRATE2019/blob/master/INFILTRATE%20Ghidra%20Slides.pdf

Threat Research – Malware, Phishing, and other Campaigns in the Wild

2019: The Return of Retefe
- https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers
- https://blog.trendmicro.com/trendlabs-security-intelligence/tech-support-scam-employs-new-trick-by-using-iframe-to-freeze-browsers/
A look at Stomped VBA code and the P-Code in a Word Document
- https://pcsxcetrasupport3.wordpress.com/2019/04/25/a-look-at-stomped-vba-code-and-the-p-code-in-a-word-document/amp/?__twitter_impression=true

Who’s phishing in your cloud? And, some suggestions for detecting it
- https://www.alienvault.com/blogs/labs-research/whos-phishing-in-your-cloud-and-some-suggestions-for-detecting-it
Sodinokibi ransomware exploits WebLogic Server vulnerability
- https://blog.talosintelligence.com/
Synthetic Identity Theft a Gateway to Business Fraud
- https://www.flashpoint-intel.com/blog/synthetic-identity-theft-a-gateway-to-business-fraud/
Quick Analysis of New Method for Spreading TrickBot
- https://www.fortinet.com/blog/threat-research/quick-analysis-new-method-spreading-trickbot.html
Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
- https://unit42.paloaltonetworks.com/muhstik-botnet-exploits-the-latest-weblogic-vulnerability-for-cryptomining-and-ddos-attacks/
Updated: This DDoS Attack Unleashed the Most Packets Per Second Ever. Here’s Why That’s Important.
- https://www.imperva.com/blog/this-ddos-attack-unleashed-the-most-packets-per-second-ever-heres-why-thats-important/
Emotet: Catch Me If You Can (Part 2 of 3)
- https://www.bromium.com/emotet-analysis-catch-me-if-you-can/
LockerGoga Ransomware Family Used in Targeted Attacks
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lockergoga-ransomware-family-used-in-targeted-attacks/
Buhtrap backdoor and ransomware distributed via major advertising platform
- https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/
Dispelling Myths Around SGX Malware
- https://www.symantec.com/blogs/threat-intelligence/sgx-malware-explainer
2019-05-01 – MALSPAM WITH PASSWORD-PROTECTED WORD DOC PUSHES ICEDID
- http://www.malware-traffic-analysis.net/2019/05/01/index.html
Wipro Threat Actors Active Since 2015
- https://www.flashpoint-intel.com/blog/wipro-threat-actors-active-since-2015/
New phishing campaign purports to come from FBI Director Christopher Wray
- https://cyware.com/news/new-phishing-campaign-purports-to-come-from-fbi-director-christopher-wray-25169eb3
Not all Roads Lead to Magento: All Payment Platforms are Targets for Magecart
- https://www.riskiq.com/blog/labs/magecart-beyond-magento/
Qakbot levels up with new obfuscation techniques
- https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html
Reversing Gh0stRAT part 2: the DDOS-ening
- https://www.alienvault.com/blogs/labs-research/reversing-gh0strat-part-2-the-ddos-ening
APT34: Glimpse project
- https://marcoramilli.com/2019/05/02/apt34-glimpse-project/
Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada
- https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/
Cryptojacking in the post-Coinhive era
- https://blog.malwarebytes.com/cybercrime/2019/05/cryptojacking-in-the-post-coinhive-era/
A MYSTERIOUS HACKER GROUP IS ON A SUPPLY CHAIN HIJACKING SPREE
- https://www.wired.com/story/barium-supply-chain-hackers/
“MegaCortex” ransomware wants to be The One
- https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/
I know what you did last summer, MuddyWater blending in the crowd
- https://securelist.com/muddywaters-arsenal/90659/

Breaches, Government, and Law Enforcement

Email hackers steal $1.75 million from St. Ambrose Catholic Parish in Brunswick
- https://www.cleveland.com/crime/2019/04/email-hackers-steal-175-million-from-st-ambrose-catholic-parish-in-brunswick.html
- https://threatpost.com/bec-hack-cons-catholic-church/144212/
DHS Compels Federal Agencies to Remediate Critical Vulnerabliities for Internet-Accessible Systems within 15 days — Binding Operational Directive 19-02
- https://cyber.dhs.gov/bod/19-02/
Executive Order on America’s Cybersecurity Workforce
- https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/

Vulnerabilities and Exploits

WebLogic Update
- https://isc.sans.edu/diary.html?storyid=24890
Docker Hub Breach
- https://success.docker.com/article/docker-hub-user-notification
CVE-2019-3396: Vulnerability in Atlassian Confluence Widget Connector Exploited in the Wild
- https://www.tenable.com/blog/cve-2019-3396-vulnerability-in-atlassian-confluence-widget-connector-exploited-in-the-wild
Dell computers vulnerable to remote code exectution
- https://d4stiny.github.io/Remote-Code-Execution-on-most-Dell-computers/
Story of a Hundred Vulnerable Jenkins Plugins
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/may/story-of-a-hundred-vulnerable-jenkins-plugins/

Weekly News Roundup — April 28 to May 4