— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- APT review: what the world’s threat actors got up to in 2019
- Interactive Microsoft Security Intelligence Report Dashboard
- https://www.microsoft.com/securityinsights/Outgoing
- Microsoft Security Intelligence Report Volume 24 (registration required)
- Spear phishing campaigns—they’re sharper than you think
- The “Great Cannon” has been deployed again
- End-of-Support Software Report List
- Industrial Cyber Attacks: A Humanitarian Crisis in the Making
- Detection déjà vu: a tale of two incident response engagements
- Incident Response Casefile – A successful BEC leveraging lookalike domains
- Forums are Forever – Part 1: Cybercrime Never Dies
- Misconceptions: Unrestricted Release of Offensive Security Tools
- Challenging Your Forensic Readiness with an Application-Level Ransomware Attack
- Emotet’s Central Position in the Malware Ecosystem
Threat Research – Malware, Phishing, and other Campaigns in the Wild
- Buer, a new loader emerges in the underground marketplace
- Meet PyXie: A Nefarious New Python RAT
- Another Fake Google Domain: fonts.googlesapi.com
- A Big Day for Phishing
- New version of IcedID Trojan uses steganographic payloads
- Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
- Phishing with a self-contained credentials-stealing webpage
- Analysis of LooCipher, a New Ransomware Family Observed This Year
- Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)
- Malware creators trying to avoid detection. Spy.GmFUToMitm as an example
- Malware analysis – varenyky
- Threat Actor Targeting Hong Kong Pro-Democracy Figures
- Lazarus Group Goes ‘Fileless’: an implant w/ remote download & in-memory execution
- TrickBot Widens Infection Campaigns in Japan Ahead of Holiday Season
- APT28 Attacks Evolution
Tools and Tips
- Attacking FreeIPA — Part II Enumeration
- Dissecting Tor Bridges and Pluggable Transport – Part I: Finding the Built-in Tor Bridges and How Tor Browser Works
- Dissecting Tor Bridges and Pluggable Transport – Part II: How Obfs4 Bridges Defeats Censorship
- ClamAV team shows off new Mussels dependency build automation tool
- Tracking Malware Campaigns Using String Metrics
- Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel
- Getting a Grasp on GoogleID’s
- How to Use OODA Loop in Your Incident Response Process in 2020
- A Threat Intelligence Analyst’s Guide to Today’s Sources of Bias
- AWS Traffic Mirroring
- Forensics traces of NTDS.dit dumping using ntdsutil utility
- Advanced Powershell Hunting with the Splunk Decrypt App
- Pypykatz: Mimikatz implementation in pure Python
- What’s new in Volatility 3?
- Use Sysmon DNS data for incident response
- WEASEL: A Stealthy DNS Beacon
- Awesome TheHive: A curated list of awesome things related to TheHive & Cortex
- NTLMRecon: A fast NTLM reconnaissance tool without external dependencies.
Breaches, Government, and Law Enforcement
- Ransomware attack hits major US data center provider
- Auto industry in the sights of hackers: BMW spied out
- US charges two members of the Dridex malware gang
- Spying tools website taken down after UK raids
- Hackers Trick Venture Capital Firm Into Sending Them $1 Million
- Freedom Fighter or Fool? Jury’s Out on Arrested Ethereum Developer Virgil Griffith
- Health Data Breaches: 3 Lessons Learned
- N.J.’s largest health network was hit with major computer disruptions. Officials won’t say if it was ransomware.
Vulnerabilities and Exploits
- US-CERT Bulletin (SB19-336): Vulnerability Summary for the Week of November 25, 2019
- Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution
- Multiple Vulnerabilities in Google Android OS Could Allow for Arbitrary Code Execution
- New vulnerability lets attackers sniff or hijack VPN connections
- CVE-2019-1429: (Another) Microsoft Internet Explorer 0-Day
- Severe Auth Bypass and Priv-Esc Vulnerabilities Disclosed in OpenBSD