Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Intrusion Truth: An (in)Competent Cyber Program – A brief cyber history of the ‘CCP’
- Coveware: Q2 Ransom Payment Amounts Decline as Ransomware becomes a National Security Priority
- IBM: Data Breach Costs at Record High, Zero Trust, AI and Automation Shine in Cost Reduction
- ZDNet: Kaseya denies paying ransom for decryptor, refuses comment on NDA
- RiskIQ: Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
- Flashpoint: Flashpoint Chatter Indicates BlackMatter as Blog REvil Successor
- Recorded Future: China’s Digital Colonialism: Espionage and Repression Along Digital Silk Road
- Kaspersky: APT trends report Q2 2021
- Check Point: Mid-Year Attack Trends Report Reveals A 29% Increase In Cyberattacks Against Organizations Globally
- PAN Unit42: Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report
Threat Research
- Proofpoint: I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
- Netskope: Netskope Threat Coverage: 2020 Tokyo Olympics Wiper Malware
- Check Point: Time-proven tricks in a new environment: the macOS evolution of Formbook
- Cisco Talos: Threat Spotlight: Solarmarker
- SANS ISC: Malicious Content Delivered Through archive.org
- Blackberry: Threat Thursday: Hancitor Malware
- Sentinel One: MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
- Sophos: Malware increasingly targets Discord for abuse
- PAN Unit42: THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
- Trend Micro: Threat Actors Exploit Misconfigured Apache Hadoop YARN
- Sygnia: Praying Mantis (TG1021): An Advanced Memory-Resident Attack
- Microsoft: When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
- Microsoft: BazaCall: Phony call centers lead to exfiltration and ransomware
- soolidsnake: HelloKitty Linux version malware analysis
Tools and Tips
- FireEye: capa 2.0: Better, Faster, Stronger
- Dragos: Understanding The Challenges of Vulnerability Management in OT Environments and How to Tackle Them
- SANS ISC: Failed Malspam: Recovering The Password
- HP: Detecting TA551 domains
- VMWare: Hunting IcedID and unpacking automation with Qiling
- Falcon Force: FalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14
- AhmedS Kasmani (video): Analysis of Malware from Kaseya/Revil Supply Chain attack.
- SANS: ICS Threat Hunting – “They’re Shootin’ at the Lights!” – Part 1
- Walmart: Decrypting BazarLoader strings with a Unicorn
- Memet Ergene: Detecting PetitPotam and other Domain Controller Account Takeovers
- Microsoft: Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques
- DFIR Diva: DFIR Related Events for Beginners – August, 2021
- Atomic Matryoshka: Process Injection: Malware Lurking in the Shadows of Legitimate Programs (Part 2)
- Jonathan Johnson: Dataset Prioritization
- Altered Security: Fantastic Windows Logon types and Where to Find Credentials in Them
- svch0st: Guide to Named Pipes and Hunting for Cobalt Strike Pipes
- hausec: Cobalt Strike and Tradecraft
- Elastic: Collecting and operationalizing threat data from the Mozi botnet
- OALabs (video): Python3 Tips For Reverse Engineers
Breaches, Government, and Law Enforcement
- Amnesty International: Massive data leak reveals Israeli NSO spyware used to target activists, journalists, and political leaders
- The White House: National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems
- Krebs: PlugwalkJoe Does the Perp Walk
- Bleeping Computer: DOJ: SolarWinds hackers breached emails from 27 US Attorneys’ offices
- Huntress Labs: A Recap of Events and Lessons Learned During the Kaseya VSA Supply Chain Attack
- US DOJ: Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research
- The Record: Fraud Family phishing-as-a-service disrupted in the Netherlands
Vulnerabilities and Exploits
- CISA: Top Routinely Exploited Vulnerabilities
- CISA: Vulnerability Summary for the Week of July 19, 2021
- SANS ISC: Apple Patches for CVE-2021-30807
- Microsoft: KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
- GRAPL: Kernel Pwning with eBPF: a Love Story
- dozer: Developing an exploit for the Jira Data Center Ehcache RCE (CVE-2020-36239)
1 comment / Add your comment below