Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Mandiant: Proactive Preparation and Hardening to Protect Against Destructive Attacks
- Chainalysis: North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High
- Check Point: Check Point Research: Cyber Attacks Increased 50% Year over Year
- CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
- US CYBERCOM: CNMF Identifies and Discloses Malware used by Iranian APT MuddyWater
- PAN Unit42: The Year in Web Threats: Web Skimmers Take Advantage of Cloud Hosting and More
- Huntress: Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike
- InfoSecSherpa: InfoSecSherpa’s News Roundup for Friday, January 14, 2022
- Bryan Campbell: REvil & Ukraine
Threat Research
- CrowdStrike: TellYouThePass Ransomware Analysis Reveals Modern Reinterpretation Using Golang
- CrowdStrike: Linux-Targeted Malware Increases by 35% in 2021
- Fortinet: COVID Omicron Variant Lure Used to Distribute RedLine Stealer
- Recorded Future: FIN7 Uses Flash Drives to Spread Remote Access Trojan
- ESET: Signed kernel drivers – Unguarded gateway to Windows’ core
- Kaspersky: The BlueNoroff cryptocurrency hunt is still on
- Malwarebytes: Phishers on the prowl with fake parking meter QR codes
- Check Point: APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
- Cisco Talos: Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
- HP: How Attackers Use XLL Malware to Infect Systems
- Expel: Top Attack Vectors: December 2021
- Blackberry: Threat Thursday: Jupyter Infostealer is a Master of Disguise
- Objective-See: SysJoker: analyzing the first (macOS) malware of 2022!
- SentinelLabs: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
- ASEC: Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome
- Netskope: Abusing Microsoft Office Using Malicious Web Archive Files
- Walmart: Signed DLL campaigns as a service
- Cado Security: Abcbot – An Evolution of Xanthe
- Security Onion: Security Onion: Quick Malware Analysis: TA551 / SHATHAK / IcedID / BOKBOT pcap from 2022-01-06
- Splunk: Detecting Malware Script Loaders using Remcos: Threat Research Release December 2021
Tools and Tips
- CrowdStrike: CrowdStrike Services Releases Free Incident Response Tracker
- Recorded Future: How to Make the Attack Lifecycle Actionable with Intelligence
- SANS ISC: Extracting Cobalt Strike Beacons from MSBuild Scripts
- Red Canary: Better know a data source: Antimalware Scan Interface
- Intezer: How to Analyze Malicious Microsoft Office Files
- Trustwave: Decrypting Qakbot’s Encrypted Registry Keys
- CyberArk: Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file sys
- Atomic Matryoshka: Malware Headliners: Dridex
- Sucuri: How to Stop & Prevent DDoS Attacks
- FalconForce: FalconFriday — Suspicious named pipe events — 0xFF1B
- TrustedSec: Real Or Fake? How To Spoof Email
- DMFR Security: 100 Days of YARA – Day 24: Run Keys
- Forensic IT Guy: Inspecting a PowerShell Cobalt Strike Beacon
- Jai Minton: KringleCon IV write-up
- Anton on Security: New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance”
- Emalderson: ThePhish: an automated phishing email analysis tool
- MattETurner: DFIRlogbook Logbook for Digital Forensics and Incident Response
- Elastic: Identifying beaconing malware using Elastic
Breaches, Government, and Law Enforcement
- US DOJ: Former Acting Inspector General for the US Department of Homeland Security Pleads Guilty to Scheme to Defraud the US Government
- The Record: FSB arrests REvil ransomware gang members
- ZDNet: Cyberattack shuts down Albuquerque schools; county copes with ransomware incident
- Krebs: At Request of US, Russia Rounds Up 14 REvil Ransomware Affiliates
- Krebs: Who is the Network Access Broker ‘Wazawaka?’
- Digital Shadows: How Do Ransomware Groups Launder Payments?
- BleepingComputer: Ukranian police arrests ransomware gang that hit over 50 firms
- ThreatPost: ‘Be Afraid:’ Massive Cyberattack Downs Ukrainian Gov’t Sites
- CuratedIntel: OSINT on REvil
- Data Breach Today: FCC Proposes Stricter Telecom Breach Notification Measures
- Reuters: Ukraine suspects group linked to Belarus intelligence over cyberattack
Vulnerabilities and Exploits
- CrowdStrike: noPac Exploit: Microsoft AD Flaw May Lead to Total Domain Compromise
- SANS ISC: Microsoft Patch Tuesday – January 2022
- CISA: Vulnerability Summary for the Week of January 3, 2022
- CISA: CISA Adds 15 Known Exploited Vulnerabilities to Catalog
- SentinelLabs: CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers
- Trend Micro: Analyzing an Old Bug and Discovering CVE-2021-30995
- Microsoft: New macOS vulnerability, “powerdir,” could lead to unauthorized user data access
- Bill Demirkapi: Unpacking CVE-2021-40444: A Deep Technical Analysis of an Office RCE Exploit