Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Check Point: Brand Phishing Report – Q4 2020
- Project Zero: Introducing the In-the-Wild Series
- RiskIQ: New Analysis Puts Magecart Interconnectivity into Focus
- Recorded Future: Adversary Infrastructure Report 2020: A Defender’s View
- Proofpoint: Attackers Use COVID-19 Vaccine Lures to Spread Malware, Phishing and BEC
- McAfee: A Year in Review: Threat Landscape for 2020
- Objective-See: The Mac Malware of 2020 👾 a comprehensive analysis of the year’s new malware
Threat Research
- CrowdStrike: SUNSPOT Malware: A Technical Analysis
- Netskope: You Can Run, But You Can’t Hide: Advanced Emotet Updates
- Sucuri: Real-Time Phishing Kit Targets Brazilian Central Bank
- zscaler: New Phishing trends and Evasion techniques
- eset: Operation Spalax: Targeted malware attacks in Colombia
- Fortinet: New Variant of Ursnif Continuously Targeting Italy
- Kaspersky: Sunburst backdoor – code overlaps with Kazuar
- Malwarebytes: Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
- Symantec: SolarWinds: Insights into Attacker Command and Control Process
- Check Point: Going Rogue- a Mastermind behind Android Malware Returns with a New RAT
- Cisco Talos: A Deep Dive into Lokibot Infection Chain
- Cybereason: Cybereason vs. Conti Ransomware
- Objective-See: Discharging ElectroRAT – Analyzing the first (macOS) malware of 2021
- Bitdefender: Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign
- Palo Unit 42: TA551: Email Attack Campaign Switches from Valak to IcedID
- Positive Technologies: Higaisa or Winnti? APT41 backdoors, old and new
- DFIR Report: Trickbot Still Alive and Well
- BushidoToken: Analysis of the NetWire RAT campaign
- Trend Micro: Expanding Range and Improving Speed: A RansomExx Approach
- Walmart Global Tech: MAN1, Moskal, Hancitor and a side of Ransomware
Tools and Tips
- The Linux Foundation: Preventing Supply Chain Attacks like SolarWinds
- Dragos: Self-Reflection Time: The OSINT Collection Risk Framework
- SANS: How You Can Start Learning Malware Analysis
- SANS ISC: Obfuscated DNS Queries
- SANS ISC: Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file
- red canary: Hunting for GetSystem commands in offensive security tools
- CISA: Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services
- CISA: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments
- Sentinel One: Building a Custom Malware Analysis Lab Environment – SentinelLabs
- Open Source DFIR: Container Forensics with Docker Explorer
- Falcon Force: Sysmon 13 — Process tampering detection
- Matt Fuller: How to Enable Logging on Every AWS Service in Existence (Circa 2021)
- Mena Sec: How to Design Abnormal Child Processes Rules without Telemetry
- hatching.io: Powershell Static Analysis & Emotet results
- 0xC0DECAFE: The malware analyst’s guide to aPLib decompression
- Marco Ramilli: C2 Traffic Patterns: Personal Notes
- Didier Stevens: Decrypting TLS Streams with Wireshark – Part 3
- Chiheb Chebbi: Blue Teaming Training 2020
- Max Kersten: Analysing scripts
Breaches, Government, and Law Enforcement
- Flashpoint: Joker’s Stash Shutting Down—for Good This Time
- Mimecast: Important Update from Mimecast
- ZDNet: Ubiquiti tells customers to change passwords after security breach
- CyberNews: Parler Hack – 70TB users’ data leaked by security researchers
- Reuters: Exclusive: FBI probes Russian-linked postcard sent to FireEye CEO after cybersecurity firm uncovered hack
- NSA: NSA Recommends How Enterprises Can Securely Adopt Encrypted DNS
Vulnerabilities and Exploits
- SpecterOps: Local Privilege Escalation in VMware vRealize Automation (vRA) Guest Agent Service
- SANS ISC: Microsoft January 2021 Patch Tuesday
- CISA: Vulnerability Summary for the Week of January 4, 2021
- Microsoft: Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472