Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Netskope: Cloud and Threat Report: Let’s Get Personal (Instances)
- Agari: Big Email Concern: IC3 Report Confirms that BEC is Still a Problem
- HP: Nation States, Cyberconflict and the Web of Profit Report
- Recorded Future: Lockdown Saw Rise in Wine Domains and Wine Scammers
- CISA: Malicious Cyber Activity Targeting Critical SAP Applications
- McAfee: McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware
- Bleeping Computer: The Week in Ransomware – April 9th 2021 – Massive ransom demands
Threat Research
- CrowdStrike: Adversary Quest: 4 SPACE JACKAL Hacktivist Challenges
- Kaspersky: Vulnerability in Fortigate VPN servers is exploited in Cring ransomware attacks
- Kaspersky: The leap of a Cycldek-related threat actor
- Eset: Janeleiro, the time traveler: A new old banking trojan in Brazil
- Eset: (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
- RiskIQ: Yanbian Gang Malware Continues with Wide-Scale Distribution and C2
- Recorded Future: Cybercriminals Exploit Human Nature Through Phishing and Spam Attacks
- Malwarebytes: A deep dive into Saint Bot, a new downloader
- Checkpoint: Iran’s APT34 Returns with an Updated Arsenal
- Intezer: Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys
- Trustwave: HTML Lego: Hidden Phishing at Free JavaScript Site
- Bushido Token: Dead Drop Resolvers – Espionage Inspired C&C Communication
- Trend Micro: Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
- Intel471: EtterSilent: the underground’s new favorite maldoc builder
- Domain Tools: COVID-19 Phishing With a Side of Cobalt Strike
- Walmart: TrickBot Crews New CobaltStrike Loader
- Microsoft: Investigating a unique “form” of email delivery for IcedID malware
- Uptycs: IcedID campaign spotted being spiced with Excel 4 Macros
- aaqeel01: IcedID Analysis – Malware Analysis
Tools and Tips
- Specter Ops: Man in the Terminal. Application Proxy
- CrowdStrike: How to Harden Your Cloud Against SMTP Abuse
- SANS: NEW ENTERPRISE CLOUD FORENSICS & INCIDENT RESPONSE COURSE IN BETA JUNE 2021
- SANS ISC: Video: YARA and CyberChef
- Blackberry: Malware Analysis with Dynamic Binary Instrumentation Frameworks
- Digital Shadows: Applying MITRE ATT&CK to your CTI Program
- Cyberark: Kubesploit: A New Offensive Tool for Testing Containerized Environments
- Palo Unit42: Wireshark Tutorial: Identifying Hancitor, Followup Malware
- F-Secure: Detecting Exposed Cobalt Strike DNS Redirectors
- The Cyber Sector: [0x04] Foundat1ons – 0100 – Operations Security_
- Wagga40: Zircolite Battle-tested, standalone and fast SIGMA-based detection tool for EVTX or JSON
- AhmedS Kasmani (Video): Malware Analysis: IcedID Banking Trojan JavaScript Dropper
Breaches, Government, and Law Enforcement
- US DOC: Commerce Adds Seven Chinese Supercomputing Entities to Entity List for their Support to China’s Military Modernization, and Other Destabilizing Efforts
- CNN: Hunting the hunters: How Russian hackers targeted US cyber first responders in SolarWinds breach
- Vice: Feds Indict Kansas Man for Allegedly Hacking Into Water Supply
- Krebs: Ubiquiti All But Confirms Breach Response Iniquity
- Bleeping Computer: FBI arrests man for plan to kill “70% of Internet” in AWS bomb attack
- Threatpost: Data from 500M LinkedIn Users Posted for Sale Online
Vulnerabilities and Exploits
- CIS: Multiple Vulnerabilities in Cisco RV Series Routers Could Allow for Arbitrary Code Execution
- CIS: Multiple Vulnerabilities in Cisco SD-WAN vManage Software Could Allow for Arbitrary Code Execution
- Malwarebytes: Zoom zero-day discovery makes calls safer, hackers $200,000 richer
- CISA: Vulnerability Summary for the Week of March 29, 2021
- Sentinel Labs: Adventures From UEFI Land: the Hunt For the S3 Boot Script – SentinelLabs
- Juniper Networks: CVE-2021-21972 VMware vCenter Unauthorized Remote Code Execution
- Threatpost: Critical Cloud Bug in VMWare Carbon Black Allows Takeover