Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Netskope: Threat Labs Report – December 2021
- Microsoft: Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability — Update
- Microsoft: Destructive malware targeting Ukrainian organizations
- Recorded Future: 2021 Adversary Infrastructure Report
- Symantec: The Threat Landscape in 2021
- Cisco Talos: Talos Incident Response year-in-review for 2021
- Phish Labs: Qbot, ZLoader Represent 89% of Payload Volume in Q4
- Digital Shadows: Ransomware Q4 Overview
- Binary Defense: 2022: Expect The Unexpected As Cyberattacks Continue To Target Organizations
- PAN Unit42: Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
- InfoSecSherpa: InfoSecSherpa’s News Roundup for Friday, January 21, 2022
Threat Research
- CrowdStrike: Technical Analysis of the WhisperGate Malicious Bootloader
- Mandiant: One Source to Rule Them All: Chasing AVADDON Ransomware
- FBI (PDF): Indicators of Compromise Associated with Diavol Ransomware
- Kaspersky: MoonBounce: the dark side of UEFI firmware
- Kaspersky: Campaigns abusing corporate trusted infrastructure hunt for corporate credentials on ICS networks
- Zscaler: Analysis of Xloader’s C2 Network Encryption
- Zscaler: New espionage attack by Molerats APT targeting users in the Middle East
- Flashpoint: MuddyWater: Who’s Behind the Iranian Cyber Threat Actor Group?
- ESET: DoNot Go! Do not respawn!
- Fortinet: New STRRAT RAT Phishing Campaign
- Cisco Talos: Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
- INKY: Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects
- SANS ISC: Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
- SANS ISC: 0.0.0.0 in Emotet Spambot Traffic
- Trend Micro: Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware
- Blackberry: Threat Thursday: Purple Fox Rootkit
- Blackberry: Kraken the Code on Prometheus
- SecureWorks: Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions
- SentinelOne: BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims
- Sucuri: AccessPress Themes Hit With Targeted Supply Chain Attack
- Morphisec: Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
- BushidoToken: Tracking A Renewable Energy Intelligence Gathering Campaign
- Trend Micro: Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques
- S2W Blog: Analysis of Destructive Malware (WhisperGate) targeting Ukraine
- TrueSec: State-Sponsored Cyber Attacks Against Ukraine
Tools and Tips
- Mandiant: Anticipating Cyber Threats as the Ukraine Crisis Escalates
- Robert M. Lee: Structuring Cyber Threat Intelligence Assessments: Musings and Recommendations
- RiskIQ: Jupyter Notebooks Make RiskIQ Data a Digital ‘Mech Suit’ for Threat Intelligence Analysts
- Intezer: Make your First Malware Honeypot in Under 20 Minutes
- G DATA: Malware vaccines can prevent pandemics, yet are rarely used
- Microsoft: Excel 4.0 (XLM) macros now restricted by default for customer protection
- BleepingComputer: CISA urges US orgs to prepare for data-wiping cyberattacks
- VMware: Defending from Within
- Trend Micro: Codex Exposed Task Automation and Response Consistency
- Atomic Matryoshka: Malware Headliners: Emotet
- TrustedSec: WMI for Script Kiddies
- DFIRScience: Software supply chain and vulnerability assessment with syft and grype
- DMFR Security: 100 Days of YARA – Day 31: PDB Paths
- Forensic IT Guy: Extracting Payloads from Excel-DNA XLL Add-Ins
- Splunk: Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
- seanmcfeely: ThreatFox API Python library and CLI tool for interacting with the ThreatFox API.
- Rapid7: Active Exploitation of VMware Horizon Servers
Breaches, Government, and Law Enforcement
- Trustwave: Dark Web Recon: Cybercriminals Fear More Law Enforcement Action in the Wake of the REvil Takedown
- US DOJ: US Citizen Charged with Conspiring to Provide Electronic Equipment and Technology to the Government of Iran
- US DOT: Treasury Sanctions Russian-Backed Actors Responsible for Destabilization Activities in Ukraine
- The White House: Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
- Europol: Unhappy New Year for cybercriminals as VPNLab.net goes offline
- Recorded Future: People’s Liberation Army in the South China Sea: An Organizational Guide
- Krebs: Crime Shop Sells Hacked Logins to Other Crime Shops
- threat post: Merck Awarded $1.4B Insurance Payout over NotPetya Attack
- PAN Unit42: Operation Falcon II: Unit 42 Helps INTERPOL Stop SilverTerrier BEC Actors
- The Record: Nigerian police arrest members of SilverTerrier BEC gang
- Lawfare: Insurers Stake Out Their Ground for Covering State Cyber Attacks
- Data Breach Today: EU Plans to Build Its Own DNS Infrastructure
Vulnerabilities and Exploits
- CIS: Oracle Quarterly Critical Patches Issued January 18, 2022
- CIS: A Vulnerability in Zoho Desktop Central and Desktop Central MSP Could Allow for Authentication Bypass
- Bugcrowd (registration required): Priority One Report
- CISA: Vulnerability Summary for the Week of January 10, 2022
- CISA: F5 Releases January 2022 Quarterly Security Notification