Weekly News Roundup — April 7 to 13

Summary

— Welcome to Security Soup’s continuing news coverage of highlights from the previous week. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!

Industry News and Reports

• Introducing the security configuration framework: A prioritized guide to hardening Windows 10
  • https://www.microsoft.com/security/blog/2019/04/11/introducing-the-security-configuration-framework-a-prioritized-guide-to-hardening-windows-10/
• Group-IB Cybercrime Trends 2018 Report
  • https://www.group-ib.com/media/hi-tech-crime-trends-2018/
• Check Point: March 2019’s Most Wanted Malware: Cryptomining Still Dominates
  • https://blog.checkpoint.com/2019/04/09/march-2019s-most-wanted-malware-cryptomining-still-dominates-despite-coinhive-closure/
•  Akamai: 2019 State of the Internet / Security: Credential Stuffing: Attacks and Economies
  • https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-credential-stuffing-attacks-and-economies-report-2019.pdf
• Implications of IT Ransomware for ICS Environments
  • https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
• RiskIQ’s 2019 Tax Season Threat Roundup
  • https://www.riskiq.com/blog/external-threat-management/2019-tax-season-threat-roundup/
•  Rapid7 – Q4 Threat Report: Analyzing the Top 3 Advanced Threats and Detection Techniques
  • https://blog.rapid7.com/2019/04/08/q4-threat-report-analyzing-the-top-three-advanced-threats-and-detection-techniques/

Tools and Tips

• Blue + Red: An Infosec Purple Pyramid
  • https://isc.sans.edu/forums/diary/Blue+Red+An+Infosec+Purple+Pyramid/24830/
• Examining Different Approaches to Architecting Deception Technology
  • https://www.fidelissecurity.com/threatgeek/architecting-deception-technology
• GHidra vs. IDA
  • https://isc.sans.edu/forums/diary/A+few+Ghidra+tips+for+IDA+users+part+1+the+decompilerunreachable+code/24822/
• Advanced Windows Logging – Finding What AV Missed (Video by @IppSec)
  • https://mobile.twitter.com/ippsec/status/1114891503128731648?s=19
• Simple PowerShell WebServer To Host an HTA Payload
  • https://gist.github.com/caseysmithrc/2197d8b447cb963896914ee5cb8c8dd2
• Prediction of Adversarial Behavior: Exploring the quantitative characteristics of your adversary
  • https://medium.com/@magoo/prediction-of-adversarial-behavior-13d58e396
• Changes to Ticket-Granting Ticket (TGT) Delegation Across Trusts in Windows Server (AskPFEPlat edition)
  • https://blogs.technet.microsoft.com/askpfeplat/2019/04/11/changes-to-ticket-granting-ticket-tgt-delegation-across-trusts-in-windows-server-askpfeplat-edition/
• regrippy — a modern Python 3 alternative to RegRipper
  • https://github.com/airbus-cert/regrippy
• VirusTotal for Investigators (PDF)
  • https://storage.googleapis.com/vt-gtm-wp-media/virustotal-for-investigators.pdf
• Searching for Malware Samples
  • https://maxkersten.nl/binary-analysis-course/obtaining-samples/searching-samples/
• Exploiting PrivExchange
  • https://chryzsh.github.io/exploiting-privexchange/
• Case Study: Password Analysis with BloodHound
  • https://posts.specterops.io/case-study-password-analysis-with-bloodhound-a3d264736c7
• Here Be Dragons: Reverse Engineering with Ghidra – Part 0 [Main Windows & CrackMe]
  • https://www.shogunlab.com/blog/2019/04/12/here-be-dragons-ghidra-0.html
• OSINT- Information Gathering
  • https://leplat.pro/osint.html

Threat Research – Malware, Phishing, and other campaigns in the wild

• Carbon Black Threat Intelligence Notification: Hunting APT28 Downloaders
  • https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/
• Mirai Variant Compiled for New Processors Seen in the Wild
  • https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/
• Spammed PNG file hides LokiBot
  • https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png-file-hides-lokibot/
• Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
  • https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
• ServHelper malware variant employs Excel to drop signed payload
  • https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
• Who is GOSSIPGIRL? — Chronicle looks at stuxnet-related threat groups
  • https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
• Baldr: a new stealer on the market
  • https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/
• Researchers Uncover New Version of the Infamous Flame Malware
  • https://www.schneier.com/blog/archives/2019/04/new_version_of_.html
  • https://motherboard.vice.com/en_us/article/d3maw7/researchers-uncover-new-version-of-the-infamous-flame-malware
• Credential Dumping Campaign Hits Multinational Corporations
  • https://securityintelligence.com/credential-dumping-campaign-hits-multinational-corporations/
• Project TajMahal – a sophisticated new APT framework
  • https://securelist.com/project-tajmahal/90240/
• Gaza Cybergang Group1 Levearages Pastebin and Github for Staging
  • https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/
• TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
  • https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
• EMOTET spread in Chile impacted hundreds of users and targeted financial/banking services
  • https://seguranca-informatica.pt/si-lab-emotet-spread-in-chile-impacted-hundreds-of-users-and-targeted-financial-and-banking-services/#.XLH8XZNKiu4
•  US-CERT Notification on North Korean-linked HOPLIGHT malware
  • https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
• New Spear Phishing Campaign Operated by the MuddyWater Group
  • https://heimdalsecurity.com/blog/security-alert-muddywater-group-phishing-campaign/
• Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability
  • https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability/
• Sextortion profits decline despite higher volume, new techniques
  • https://blog.talosintelligence.com/2019/04/sextortion-update.html
• Looking Into Anatova Ransomware
  • https://www.fortinet.com/blog/threat-research/looking-into-anatova-ransomware.html
• Malware Debugs Itself to Prevent Analysis
  • https://www.bromium.com/malware-debugs-itself-prevent-analysis/
• When You Unsubcribe to these Emails, You ‘Subscribe’ to the Loda RAT
  • https://cofense.com/unsubcribe-emails-subscribe-loda-rat-2/
• Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse
  • https://blog.trendmicro.com/trendlabs-security-intelligence/miner-malware-spreads-beyond-china-uses-multiple-propagation-methods-including-eternalblue-powershell-abuse/
• Talos Threat Roundup for April 5 to April 12
  • https://blog.talosintelligence.com/2019/04/threat-roundup-0405-0412.html
• The Ping is the Thing: Popular HTML5 Feature Used to Trick Chinese Mobile Users into Joining Latest DDoS Attack
  • https://www.imperva.com/blog/the-ping-is-the-thing-popular-html5-feature-used-to-trick-chinese-mobile-users-into-joining-latest-ddos-attack/
• Finding Weaknesses Before the Attackers Do
  • https://www.fireeye.com/blog/threat-research/2019/04/finding-weaknesses-before-the-attackers-do.html
• Sqlrat analysis
  • https://neil-fox.github.io/SQLrat-Analysis/
• Emotet scales use of stolen email content for context-aware phishing
  • https://www.kryptoslogic.com/blog/2019/04/emotet-scales-use-of-stolen-email-content-for-context-aware-phishing/

Vulnerabilities and Exploits

• Circumventing Windows Defender ATP’s user-mode APC Injection sensor from Kernel-mode
  • http://rce4fun.blogspot.com/2019/04/circumventing-windows-defender-atps.html
•  SQL Injection in Advance Contact Form 7 DB
  • https://blog.sucuri.net/2019/04/sql-injection-in-advance-contact-form-7-db.html
• Dragonblood: A Security Analysis of WPA3’s SAE Handshake
  • http://papers.mathyvanhoef.com/dragonblood.pdf
• CVE-2019-0227: Expired Domain to Remote Code Execution in Apache Axis
  • https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
• POC – CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
  • https://github.com/cfreal/exploits/tree/master/CVE-2019-0211-apache
• Virtually Unlimited Memory: Escaping the Chrome Sandbox
  • https://googleprojectzero.blogspot.com/2019/04/virtually-unlimited-memory-escaping.html?m=1

Breaches, Government, and Law Enforcement

• Impact of Iran Terrorist Designation for Multinational Orgs
  • https://www.recordedfuture.com/irgc-terrorist-designation/
• Yahoo strikes $117.5 million data breach settlement
  • https://www.reuters.com/article/us-verizon-yahoo/yahoo-in-new-1175-million-data-breach-settlement-after-earlier-accord-rejected-idUSKCN1RL1H1
• U.S. Cyber Resiliency Act introduced to Fund Defense for State and Local Governments
  • https://www.nextgov.com/cybersecurity/2019/04/lawmakers-want-fund-cyber-upgrades-state-and-local-governments/156196/
• Space ISAC plans to elevate the industry’s awareness of cyberthreats
  • https://www.cyberscoop.com/space-isac-ncc-kratos/
•  WikiLeaks Founder Julian Assange Arrested After Ecuador Withdraws Asylum
  • https://thehackernews.com/2019/04/wikileaks-julian-assange-arrested.html