Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Flashpoint: Possible Master Key for REvil Posted on Github
- Fortinet: The Affiliate’s Cookbook – A Firsthand Peek into the Operations and Tradecraft of Conti
- Kaspersky: IT threat evolution Q2 2021
- Cisco Talos: Talos Incident Response quarterly threat report — The top malware families and TTPs used in Q2 2021
- Expel: Top Attack Vectors: July 2021
- Digital Shadows: The (Nation) State of APTs in 2021
- BushidoToken: The Lazarus Heist: Where Are They Now?
- WIZ: Black Hat 2021: DNS loophole makes nation-state level spying as easy as registering a domain
- SecureWorks: Ransomware Evolution
- Lawfare: Cost Imposition Is the Point: Understanding U.S. Cyber Operations and the Strategy Behind Achieving Effects
Threat Research
- Netskope: New Phishing Attacks Exploiting OAuth Authentication Flows (Part 3)
- CrowdStrike: Magniber Ransomware Caught Using PrintNightmare Vulnerability
- FireEye: UNC215: Spotlight on a Chinese Espionage Campaign in Israel
- Cisco Talos: Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Vice Society Leverages PrintNightmare In Ransomware Attacks
- Cisco Talos: Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
- Microsoft: Attackers use Morse code, other encryption methods in evasive phishing campaign
- Symantec: Affiliates Unlocked: Gangs Switch Between Different Ransomware Families
- RiskIQ: Magecart Group 8: Patterns in Hosting Reveal Sustained Attacks on E-Commerce
- ESET: IISerpent: Malware‑driven SEO fraud as a service
- SANS ISC: Example of Danabot distributed through malspam
- SANS ISC: TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike
- Blackberry: Threat Thursday: Ficker Infostealer Malware
- Sentinel Labs: Massive New AdLoad Campaign Goes Entirely Undetected By Apple’s XProtect
- PAN Unit42: Discovering CAPTCHA Protected Phishing Campaigns
- Active Countermeasures: Malware of the Day – Malware Techniques: Discovery and Information Gathering
- Uptycs: Cryptominer ELFs Using MSR to Boost Mining Process
- Michael Koczwara: Conti Ransomware Group Cobalt Strike C2 Analysis & RDP Persistence (Anydesk, Atera, Splash)
- imp0rtp3: Uncovering Tetris – a Full Surveillance Kit Running in your Browser
Tools and Tips
- CrowdStrike: Keep Your Tools Patched: Preventing Remote Code Execution with Falcon Complete
- FireEye: Announcing the Eighth Annual Flare-On Challenge
- Dragos: 5 Costly Mistakes in Cyber Incident Response Preparation
- Red Canary: Five ways to reduce SOC analyst burnout for good
- PhishLabs: OSINT: How Usernames Unlock Investigations
- Intezer: Guide to Digital Forensics Incident Response in the Cloud
- F-Secure: Playing with PuTTY
- Rapid7: A New Tool for Physical Security Testing
- The Record: CobaltSpam tool can flood Cobalt Strike malware servers
- CISA/NSA: CISA and NSA Release Kubernetes Hardening Guidance
- Michael Koczwara: Cobalt Strike Hunting — Malleable C2 jQuery profile & rundll32 Analysis
- CISA: Cybersecurity Workforce Training Guide
- CCob: CCob/BeaconEye: Hunts out CobaltStrike beacons and logs operator command output
- The Record: Security tools showcased at Black Hat USA 2021
- Infosec Write-ups: Active Directory penetration testing cheatsheet
- NZ-CERT: How ransomware happens and how to stop it
- Synthesis: Automated Detection of Obfuscated Code
- IntelTechniques: Sherloq: An Open Source Image Forensic Toolset
- Ophir Harpaz: RE for Beginners | Reverse Engineering
- Didier Stevens: dnsresolver.py: Videos For Each Command
- BlackPerl: Threat Intelligence Tools, Automate Intelligence Gathering, Twitter & Power Automate
Breaches, Government, and Law Enforcement
- Europol: Unmasked: 23 charged over COVID-19 business email compromise fraud
- Malwarebytes: Thief pulls off colossal, $600m crypto-robbery …and gives the money back
- ThreatPost: ThreatPost – Accenture Confirms LockBit Ransomware Attack
- The Hill: Senate includes over $1.9 billion for cybersecurity in infrastructure bill
- Krebs: New Anti Anti-Money Laundering Services for Crooks
Vulnerabilities and Exploits
- CrowdStrike: August 2021 Patch Tuesday: Updates and Analysis
- Microsoft: Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-36958
- SANS ISC: Microsoft August 2021 Patch Tuesday
- SANS ISC: SANS ISC: ProxyShell – how many Exchange servers are affected and where are they?
- CISA: Vulnerability Summary for the Week of August 2, 2021 | CISA
- Tenable: CVE-2021-1609: Critical Remote Code Execution Vulnerability in Cisco Small Business VPN Routers