Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- CIS: Top 10 Malware July 2021
- Zscaler: Fake Streaming & Adware Target Olympics 2020
- Recorded Future: The Business of Fraud: SIM Swapping
- Fortinet: FortiGuard Labs Threat Landscape Report Highlights Tenfold Increase in Ransomware
- PhishLabs: The Most Prevalent Threats to Corporate Inboxes
- Digital Shadows: How Cybercriminals Weaponize Social Media
- Trend Micro: APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
- Trend Micro: Linux Threat Report H1′ 2021: Key Security Takeaways
- InfoSecSherpa: News Roundup for Friday, August 27, 2021
- Bleeping Computer: Ransomware gang’s script shows exactly the files they’re after
- NPR: Data Stolen in Microsoft Exchange Hack May Have Helped Feed China’s AI Project
Threat Research
- Proofpoint: As Delta Variant Spreads, COVID-19 Themes Make Resurgence In Email Threats
- PAN Unit42: Emerging Ransomware Groups: AvosLocker, Hive, HelloKitty, LockBit 2.0
- PAN Unit42: Worldwide Phishing Attacks Ramped Up At the Peak of Working From Home
- RiskIQ: RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate
- ESET: The SideWalk may be as dangerous as the CROSSWALK
- Kaspersky: Triada Trojan in WhatsApp mod
- Cybereason: Cybereason vs. LockBit2.0 Ransomware
- Blackberry: Threat Thursday: PrintNightmare on Elm Street with Magniber Ransomware
- SentinelLabs: Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
- Bitdefender: FIN8 Threat Actor Spotted Once Again with New “Sardonic” Backdoor
- NVISO Labs: Credential harvesting and automated validation: a case study
- Bushido Token: Summer of Scammers: PancakeSwap cryptocurrency thieves
- Trend Micro: New Campaign Sees LokiBot Delivered Via Multiple Methods
- Intel471: ShinyHunters: Here’s how to stop the new hacking group
- Microsoft: Widespread credential phishing campaign abuses open redirector links
- Active Countermeasures: Malware of the Day – EvilOSX
- DarkOwl: Analysis of E-mail Domain Preferences by Ransomware Operators
- Volexity: North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
Tools and Tips
- CrowdStrike: Shut the Door: Guarding Against SonicWall GMS Remote Code Execution (CVE-2021-20020)
- SpecterOps: AWS ReadOnlyAccess: Not Even Once
- Netskope: A Real-World Look at AWS Best Practices: Storage
- IBM: How to Protect Yourself From a Server-Side Template Injection Attack
- Red Canary: Incident response planning: When to call in the lawyers
- Binary Defense: Mimicking Human Activity using Selenium and Python
- AhmedS Kasmani: Malware Analysis of Hancitor maldoc and initial Dlls
- Nasreddine Bencherchali: Finding Detection and Forensic Goodness In ETW Providers
- Mehmet Ergene: An Alternative Way of Using MITRE ATT&CK® for Threat Hunting and Detection
- Microsoft: How to proactively defend against Mozi IoT botnet
- Atomic Matryoshka: Pesky Persistence: How “Tuning it Off and On Again” May Not Solve Your Problem
- Huntress: PROXYSHELL VS. PROXYLOGON: WHAT’S THE DIFFERENCE?
- Huntress: BULLSEYE: A STORY OF A TARGETED CYBERATTACK
- Michael Koczwara: Conti TTP’s using Atomic Red Team and Detection Lab & C2 Infrastructure Hunting
- Sucuri: 7 Ways to Secure Magento 1
- aboutDFIR: SOF-ELK and Integration with KAPE
- SANS: EZ Tools
- Kroll: Diving Deeper into EventTranscript.db
- The Binary Hick: Wipeout! Detecting Android Factory Resets
- ThreatPost: Effective Threat-Hunting Queries in a Redacted World
- SANS: Keynote: Cobalt Strike Threat Hunting
- SubCrawl: SubCrawl is designed to find, scan and analyze open directories
- Pawel Rzepa: AWS privilege escalation: exploring odd features of the Trust Policy
- MDM&GP: The Ultimate Guide to PrintNightmare (and overcoming it)
- MITRE: Connecting VERIS and MITRE ATT&CK®
- SecurityLiterate: MALWARE ANALYSIS IN 5 MINUTES: IDENTIFYING EVASION AND GUARDRAIL TECHNIQUES WITH CAPA
- imp0rtp3: Yara Based Detection for web browsers
- mxm0z: Awesome Intelligence Writing
Breaches, Government, and Law Enforcement
- The White House: FACT SHEET: Biden Administration and Private Sector Leaders Announce Ambitious Initiatives to Bolster the Nation’s Cybersecurity
- ZDNet: T-Mobile hack: Everything you need to know
- T-Mobile: The Cyberattack Against T‑Mobile and Our Customers: What happened, and what we are doing about it
- JDSupra: Highlights of China’s Recently Adopted Personal Information Protection Law China
- The Record: FBI sends its first-ever alert about a ‘ransomware affiliate’
- UpGuard: By Design: How Default Permissions on Microsoft Power Apps Exposed Millions
- Bleeping Computer: Ragnarok ransomware releases master decryptor after shutdown
- Lawfare: The Apple Client-Side Scanning System
- WIZ: ChaosDB: How we hacked thousands of Azure customers’ databases
Vulnerabilities and Exploits
- CrowdStrike: NTLM Keeps Haunting Microsoft
- The Citizen Lab: From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits
- CISA: Vulnerability Summary for the Week of August 16, 2021
- CISA: Microsoft Azure Cosmos DB Guidance
- Bleeping Computer: Synology: Multiple products impacted by OpenSSL RCE vulnerability
- CyberArk: Fuzzing RDP: Holding the Stick at Both Ends
- Juniper Networks: RealTek CVE-2021-35394 Exploited in the Wild
- Microsoft: Update on the vulnerability in the Azure Cosmos DB Jupyter Notebook Feature
- Microsoft: ProxyShell vulnerabilities and your Exchange Server
- Tevora: Certified Pre-Owned ADCS and PetitPotam: Executing the Full Attack Chain with Windows and Linux
1 comment / Add your comment below