Summary

— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio.

I am once again including my top picks from the material from each category below, but adding brief quotes from the pieces for added context. I hope this highlights certain bits and helps readers identify content to consume, since there is so much great information and so little time. Happy Reading!

Highlights (my top picks):

News/Reports: The Annual Cost of Data Breach Report by the Ponemon Institute.

“average total cost of a data breach is the U.S. at $8.19 million, more than twice the global average. Healthcare was again the most expensive industry for data breach costs, with the total cost of a data breach in 2019 averaging $6.45 million.”

By Larry Ponemon

Threat Research: Gigamon Takes a Detailed Look at FIN8’s Tooling

“FIN8 is a financially-motivated threat group originally identified by FireEye in January of 2016, with capabilities further reported on by Palo Alto Networks’ Unit 42 and root9B….we aim to show how FIN8 continues to evolve and adapt their tooling….to enable defenders to better prevent, discover, or disrupt FIN8’s operations.”

by Kristina Savelesky, Ed Miles, Justin Warner

Tools and Tips: Analysis of the AmCache — DFIR Summit 2019

“Frequently overlooked and understudied, this database is rarely fully exploited when doing incident response. Indeed, its correct interpretation is complex: a lot of special cases can occur that have to be taken into account when performing an analysis. However, the information collected by the AmCache is extremely useful and the lack of awareness about this artifact makes it very valuable, since it is easily overlooked by attackers erasing their tracks.”

Author Blanche Lagny

Government: Report of the Senate Intelligence Committee on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election

“From 2017 to 2019, the Committee held hearings, conducted interviews, and
reviewed intelligence related to Russian attempts in 2016 to access election infrastructure. The Committee sought to determine the extent of Russian activities, identify the response of the U.S. Government at the state, local, and federal level to the threat, and make recommendations on how to better prepare for such threats in the future.”

116TH CONGRESS 1st Session SENATE REPORT

Vulns/Exploits: #Bluekeep POC Exploit Research Presented and Incorporated into Commercial Pentesting Tool

“on Tuesday, July 23, Immunity Inc. announced it included a fully-working BlueKeep exploit inside CANVAS v7.23, the company’s pen-testing toolkit.”

By Catalin Cimpanu

Industry Reports, News, and Miscellany

• Ransomware: A Mid-Year Summary
  • https://cofense.com/ransomware-mid-year-summary/
• APT17 is run by the Jinan bureau of the Chinese Ministry of State Security
  • https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/
• What’s New in the 2019 Cost of a Data Breach Report
  • https://securityintelligence.com/posts/whats-new-in-the-2019-cost-of-a-data-breach-report/
• Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum
  • https://www.recordedfuture.com/measuring-malware-popularity/
• Dragos ICS Threat Detection app for Splunk Broadens Security Visibility from Enterprise Through Operations
  • https://dragos.com/blog/industry-news/dragos-ics-threat-detection-app-for-splunk-broadens-security-visibility-from-enterprise-through-operations/
• BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly
  • https://www.symantec.com/blogs/threat-intelligence/bec-scams-trends-and-themes-2019
• CYBER ATTACK TRENDS: 2019 MID-YEAR REPORT
  • https://research.checkpoint.com/cyber-attack-trends-2019-mid-year-report/
• Let’s Destroy Democracy: ELECTION SECURITY THROUGH AN ADVERSARY’S EYES
  • https://blog.talosintelligence.com/2019/07/lets-destroy-democracy.html
• Week in OSINT #2019–29
  • https://medium.com/week-in-osint/week-in-osint-2019-29-2e9b78edbe12
• A CISO Mid-Life Crisis
  • https://medium.com/@Hpatton/a-ciso-mid-life-crisis-7616f2937b1e
• This Week in Data #2019-2
  • https://blog.zeshanaziz.com/this-week-in-data-2019-2/

Threat Research – Malware, Phishing, and other Campaigns in the Wild

• Chinese APT “Operation LagTime IT” Targets Government Information Technology Agencies in Eastern Asia
  • https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
• Discovering BADHATCH and a Detailed Look at FIN8’s Tooling
  • https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling
• P2P Worm Spreads Crypto-Miners in the Wild
  • https://blog.yoroi.company/research/p2p-worm-spreads-crypto-miners-in-the-wild/
• Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways
  • https://cofense.com/phishing-attackers-abusing-wetransfer-evade-email-gateways/
• GANDCRAB DOPPELGÄNGED HIS SHELL?
  • https://blog.ensilo.com/txhollower-process-doppelganging
• A Deep Dive Into IcedID Malware: Part III – Analysis of Child Processes
  • https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html
• How to steal a million (of your data)
  • https://securelist.com/how-to-steal-a-million-of-your-data/91855/
• A deep dive into Phobos ransomware
  • https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/
• Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’
  • https://blog.trendmicro.com/trendlabs-security-intelligence/multistage-attack-delivers-billgates-setag-backdoor-can-turn-elasticsearch-databases-into-ddos-botnet-zombies/
• EXPLOIT KITS “SHADE” INTO NEW TERRITORY
  • https://www.cybereason.com/blog/exploit-kits-shade-into-new-territory
• Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
  • https://www.intezer.com/blog-watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/
• BrushaLoader still sweeping up victims one year later
  • https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
• TrickBooster – A Deeper Dive into the Malware that Successfully Harvested Over 250M Addresses
  • https://www.deepinstinct.com/2019/07/22/trickbooster-a-deeper-dive-into-the-malware-that-successfully-harvested-over-250m-addresses/
• Malicious Document delivering Dridex — analysis and emulation (part 1 and part 2)
  • https://medium.com/@haroldogden/malicious-document-delivering-dridex-analysis-and-emulation-part-1-b5ef43cfbb97
  • https://medium.com/@haroldogden/malicious-document-delivering-dridex-analysis-and-emulation-part-2-eb33fb6e3582
• Phishers Target Office 365 Admins with Fake Admin Alerts
  • https://www.bleepingcomputer.com/news/security/phishers-target-office-365-admins-with-fake-admin-alerts/#.XTcuYPgo4iQ
• Winnti uses the rtf exploit 8.t too targeting Vietnam
  • https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272
• Tencent Yushen Threat Intelligence Center captured a malicious mining virus spread using a bunch of pornographic e-books (chm format)
  • https://cloud.tencent.com/developer/news/232079
• Building Out ProtonMail Spoofed Infrastructure with Creation Timestamp Pivoting
  • https://threatconnect.com/blog/building-out-protonmail-spoofed-infrastructure/

Tools and Tips

• How to make your org more resilient to common Mac OS attacks
  • https://expel.io/blog/how-to-make-org-more-resilient-common-mac-os-attacks/
• Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and Rekall Tools
  • https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html
• ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
  • https://github.com/MiladMSFT/ThreatHunt
• Yara rule to Detect Various PowerShell Obfuscation Techniques
  • https://github.com/Neo23x0/signature-base/blob/master/yara/gen_powershell_obfuscation.yar#L41
• Using Lampyre for Basic Email and Phone Number OSINT
  • https://medium.com/@raebaker/using-lampyre-for-basic-email-and-phone-number-osint-e0e36c710880
• Вы понимаете? OSINT in Foreign Languages
  • https://keyfindings.blog/2019/07/21/%D0%B2%D1%8B-%D0%BF%D0%BE%D0%BD%D0%B8%D0%BC%D0%B0%D0%B5%D1%82%D0%B5-osint-in-foreign-languages/
• MacOS Red Teaming 206: ARD (Apple Remote Desktop Protocol)
  • https://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html
• Red Team Diary, Entry #1: Making NSA’s PeddleCheap RAT Invisible
  • https://medium.com/@d.bougioukas/red-team-diary-entry-1-making-nsas-peddlecheap-rat-invisible-f88ccbdc484d
• FireELF- Fileless Linux Malware Framework
  • https://blog.hackersonlineclub.com/2019/04/fireelf-fileless-linux-malware-framework.html
• Quickstart: onboarding sysmon data to Azure Sentinel
  • https://github.com/BlueTeamToolkit/sentinel-attack/blob/defcon/guides/Sysmon-onboarding-quickstart.md
• PowerShell Tutorial Mini-Course: Building a Server Inventory Script
  • https://adamtheautomator.com/powershell-tutorial-mini-course/
• Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API
  • https://medium.com/@maarten.goet/analyzing-your-microsoft-defender-atp-data-in-real-time-in-elk-using-the-new-streaming-api-c435d2943605
• Deciphering Browser Hieroglyphics: Intro (Part 1)
  • https://dfir.blog/deciphering-browser-hieroglpyhics-intro/
• AMCACHE ANALYSIS — 2019 DFIR Summit
  • https://www.ssi.gouv.fr/en/publication/amcache-analysis/
• Cerbero Suite 3.2 is out!
  • https://cerbero-blog.com/?p=1827
• PE Section Names – Re-visited, Again
  • http://www.hexacorn.com/blog/2019/07/26/pe-section-names-re-visited-again/

Breaches, Government, and Law Enforcement 

• Louisiana governor declares state emergency after local ransomware outbreak
  • https://www.zdnet.com/article/louisiana-governor-declares-state-emergency-after-local-ransomware-outbreak/
• The “Security Six” — Guidance from the IRS for Tax Professionals
  • https://www.irs.gov/newsroom/tax-security-20-a-taxes-security-together-checklist-step-1
• Russia’s Secret Intelligence Agency Hacked: ‘Largest Data Breach In Its History’
  • https://www.forbes.com/sites/zakdoffman/2019/07/20/russian-intelligence-has-been-hacked-with-social-media-and-tor-projects-exposed/#4183c7c16b11
• Hackers breach FSB contractor, expose Tor deanonymization project and more
  • https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
• DOD More Assertive, Proactive in Cyber Domain
  • https://www.defense.gov/explore/story/Article/1891495/dod-more-assertive-proactive-in-cyber-domain
• NSA to establish a defense-minded division named the Cybersecurity Directorate
  • https://www.zdnet.com/google-amp/article/nsa-to-establish-a-defense-minded-division-named-the-cybersecurity-directorate
• Canadian Centre for Cyber Security Releases Advisory on Fileless Malware
  • https://www.us-cert.gov/ncas/current-activity/2019/07/18/canadian-centre-cyber-security-releases-advisory-fileless-malware
• Citrix concludes investigation of unauthorized internal network access
  • https://www.citrix.com/blogs/2019/07/19/citrix-concludes-investigation-of-unauthorized-internal-network-access/
• Report of the Senate Intelligence Committee on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election
  • https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf
• Shadow force: The secret history of the U.S. intelligence community’s battle with Iran’s Revolutionary Guard
  • https://news.yahoo.com/shadow-force-the-secret-history-of-the-us-intelligence-communitys-battle-with-irans-revolutionary-guard-090000959.html
• New Entries in the CFR Cyber Operations Tracker: Q2 2019
  • https://www.cfr.org/blog/new-entries-cfr-cyber-operations-tracker-q2-2019

Vulnerabilities and Exploits

• A US cyber-security company is selling a weaponized BlueKeep exploit as part of a penetration testing utility.
  • https://www.zdnet.com/google-amp/article/us-company-selling-weaponized-bluekeep-exploit/
• OCVE-2019–13382: Local Privilege Escalation in SnagIt
  • https://posts.specterops.io/cve-2019-13382-local-privilege-escalation-in-snagit-abe5f31c349
• Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
  • https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-apple-products-could-allow-for-arbitrary-code-execution_2019-074/
• About the “security issue” on #VLC : VLC is not vulnerable.
  • https://threader.app/thread/1153963312981389312
• Attacking SSL VPN – Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
  • http://blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html?m=1
• Create a backdoor to take-over an object in AD
  • https://medium.com/@huykha/create-a-backdoor-to-take-over-an-object-in-ad-d5df682a4022
• #bluekeep RDP from patch to remote code execution (presentation slides)
  • https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf
• Exploiting CVE–2019-1132: Another NULL Pointer Dereference in Windows Kernel
  • https://pwnrip.com/exploiting-cve-2019-1132-another-null-pointer-dereference-in-windows-kernel/