Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- CIS: Top 10 Malware May 2021
- CrowdStrike: Ransomware Actors Evolved Operations in 2020
- Proofpoint: The First Step: Initial Access Leads to Ransomware
- RiskIQ: Bit2check: Stolen Card Validation Service Illuminates A New Corner of the Skimming Ecosystem
- Cybereason: Report: Ransomware Attacks and the True Cost to Business
- PhishLabs: 62% of Phishing Sites Abuse Free Tools or Services
- TrendMicro: Fake DarkSide Campaign Targets Energy and Food Sectors
- Unit42: Conti Ransomware Gang: An Overview
Threat Research
- Proofpoint: New TA402 Molerats Malware Targets Governments in the Middle East
- FireEye: Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise
- Prodaft (PDF): LockBit RaaS In-Depth Analysis
- Sophos: Vigilante malware rats out software pirates while blocking ThePirateBay
- Recorded Future: Threat Activity Group RedFoxtrot Targets Bordering Asian Countries
- Securelist: Black Kingdom ransomware
- Securelist: Ferocious Kitten: 6 years of covert surveillance in Iran
- Intezer: Klingon RAT Holding on for Dear Life
- Inquest: PCode Pushing AveMaria
- Secureworks: Hades Ransomware Operators Use Distinctive Tactics and Infrastructure
- Binary Defense: Analysis of Hancitor – When Boring Begets Beacon
- Sentinel Labs: Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets
- Bushido Token: SharePoint Island Hopping: Phishing with compromised accounts
- Microsoft: Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign
Tools and Tips
- SpecterOps: Certified Pre-Owned. Active Directory Certificate Services… | by Will | Jun, 2021 | Posts By SpecterOps Team Members
- SANS ISC: Easy Access to the NIST RDS Database
- SANS ISC: Network Forensics on Azure VMs (Part #2)
- SANS ISC: Update: mac-robber.py
- Red Canary: Diary of a Detection Engineer: Babysitting child processes
- NSA: NSA Releases Guidance on Securing Unified Communications and Voice and Video over IP Systems
- VMWare: Detecting UEFI Bootkits in the Wild
- Rapid7: Attack Surface Analysis Part 2: Penetration Testing
- SANS: Top 5 ICS Incident Response Tabletops and How to Run Them
- MatryoshkaHax: Lsass and Credential Theft
- NirSoft: USB Drive Log For Windows 10
- Andy Piazza: CTI 101 Student Handout
- tomnomnom: gron: Make JSON greppable!
- Yaxser: Yaxser/Backstab: A tool to kill antimalware protected processes
- jaredcatkinson: Code from “Taking Hunting to the Next Level: Hunting in Memory”
Breaches, Government, and Law Enforcement
- Associated Press: The Latest: Biden and Putin depart Geneva after summit
- NATO: Brussels Summit Communiqué issued by the Heads of State and Government participating in the meeting of the North Atlantic Council in Brussels 14 June 2021
- Cyberpolice of Ukraine: Cyberpolice exposes hacker group for spreading encryption virus and inflicting half a billion dollars in damage to foreign companies
- Flashpoint: Cl0p Ransomware Operators Arrested, Estimated Damages Eclipse $500M
- The Record: Brief North Korean hackers breach South Korea’s atomic research agency through VPN bug
- NPR: Puerto Rico Sees Massive Power Outage After Fire And A Cyberattack
Vulnerabilities and Exploits
- ZDNet: Critical remote code execution flaw in thousands of VMWare vCenter servers remains unpatched
- Trustwave: Thousands of Vulnerable VMWare vCenter Servers Still Publicly Exposed (CVE-2021-21985, CVE-2021-21986)
- McAfee: A New Program for Your Peloton – Whether You Like It or Not
- CISA: Vulnerability Summary for the Week of June 7, 2021
- MDSec: Bypassing Image Load Kernel Callbacks