Summary

— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. The summaries are provided with links for the reader to drill down into particular topics according to their own interests.

Industry Reports, News, and Miscellany

• Broadcom in advanced talks to buy Symantec
  • https://www.reuters.com/article/us-symantec-m-a-broadcom/broadcom-in-advanced-talks-to-buy-symantec-sources-idUSKCN1TX2ZZ
• All 2019 Sp4rkCon Talks uploaded to Youtube.
  • https://www.youtube.com/channel/UCXbCGypgRt9eXJa5qTlq-rA
• ‘Twas the night before (APT33 Report)
  • https://securelist.com/twas-the-night-before/91599/
• Where Do CISOs Belong in the IT Org Chart?
  • https://www.crowdstrike.com/blog/where-ciso-belongs-in-it-org-chart/
• Phishing  Number One Cause of Data Breaches: Lessons from Verizon DBIR
  • https://info.phishlabs.com/blog/phishing-number-1-data-breaches-lessons-verizon
• When Math and Science Collide: Using Artificial Intelligence at NSA
  • https://alltogether.swe.org/2019/03/when-math-and-science-collide-using-artificial-intelligence-at-nsa/
• Similarities and differences between MuddyWater and APT34
  • https://marcoramilli.com/2019/06/27/similarities-and-differences-between-muddywater-and-apt34/
• The Accidental Infosec Mentor
  • https://themanyhats.club/walking-the-walk/
• A Fierce Domain – Documents on Key Events in Cyber History (From the NSA archives)
  • https://nsarchive.gwu.edu/news/cyber-vault/2019-06-29/fierce-domain-documents-key-events-cyber-history
• The Value of Community in InfoSec
  • https://medium.com/@raebaker/the-value-of-community-in-infosec-2d1a1c34bfab
• Microsoft Defender ATP alert categories are now aligned with Mitre ATT&CK
  • https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-alert-categories-are-now-aligned-with/ba-p/732748
• YouTube’s Ban of Hacking Videos Moves Us Closer to an Entertainment-only Public Sphere
  • https://danielmiessler.com/blog/youtubes-ban-of-hacking-videos-moves-us-closer-to-an-entertainment-only-world/

Tools and Tips

• A Quick and Efficient Method For Locating the main() function of Linux ELF Malware Variants
  • https://blog.trendmicro.com/trendlabs-security-intelligence/a-quick-and-efficient-method-for-locating-the-main-function-of-linux-elf-malware-variants/
• Using Powershell in Basic Incident Response – A Domain Wide “Kill-Switch”
  • https://isc.sans.edu/forums/diary/Using+Powershell+in+Basic+Incident+Response+A+Domain+Wide+KillSwitch/25088/
• Blocking DNS over HTTPS
  • https://github.com/bambenek/block-doh
• Security Primer – TrickBot
  • https://www.cisecurity.org/white-papers/security-primer-trickbot/
• Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience — My OSCP Review | by Jason Bernier
  • https://hakin9.org/try-harder-my-penetration-testing-with-kali-linux-oscp-review-and-courselab-experience-my-oscp-review-by-jason-bernier/
• Sysmon in a Box
  • https://nosecurecode.com/2019/06/29/sysmon-in-a-box/
• amass — Automated Attack Surface Mapping
  • https://danielmiessler.com/study/amass/
• Persistence with KeePass – Part 1
  • https://medium.com/@two06/persistence-with-keepass-part-1-d2e705326aa6
• Persistence with KeePass -Part 2
  • https://medium.com/@two06/persistence-with-keepass-part-2-3e328b24e117
• awesome-reversing: A curated list of awesome reversing resources
  • https://github.com/tylerha97/awesome-reversing
• Bloodsport: Using Games and CTFs to Improve your Industry Skills
  • https://medium.com/@raebaker/bloodsport-using-games-and-ctfs-to-improve-your-industry-skills-602baf8c5851
• Incident Response and IoC
  • https://projectsharp.org/2019/07/04/incident-response-and-ioc/
• Writing shellcodes for Windows x64
  • https://nytrosecurity.com/2019/06/30/writing-shellcodes-for-windows-x64/
• Delivering major enhancements in Windows Defender Application Control with the Windows 10 May 2019 Update
  • https://www.microsoft.com/security/blog/2019/07/01/delivering-major-enhancements-in-windows-defender-application-control-with-the-windows-10-may-2019-update/
• Bypassing Email Security Controls (P1: URL Scanning)
  • https://rhinosecuritylabs.com/social-engineering/bypassing-email-security-url-scanning/
• Preventing Lateral Movement
  • https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
• PSDecode v4 Released
  • https://github.com/R3MRUM/PSDecode
• THOR 10 Fusion Released
  • https://www.nextron-systems.com/2019/07/02/thor-10-fusion-released/

Threat Research – Malware, Phishing, and other Campaigns in the Wild

• LooCipher: The New Infernal Ransomware
  • https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/
• Taking Over the Overlay: What Triggers the AVLay Remote Access Trojan (RAT)?
  • https://securityintelligence.com/posts/taking-over-the-overlay-what-triggers-the-avlay-remote-access-trojan-rat/
• Unwrapping Fishwrap, a New Social Media Misinformation Methodology
  • https://www.recordedfuture.com/podcast-episode-114/
• BianLian: A New Wave Emerges
  • https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html
• Sodin ransomware exploits Windows vulnerability and processor architecture
  • https://securelist.com/sodin-ransomware/91473/
• TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
  • https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
• Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
  • https://blog.trendmicro.com/trendlabs-security-intelligence/latest-spam-campaigns-from-ta505-now-using-new-malware-tools-gelup-and-flowerpippi/
• Operation Tripoli: a large-scale campaign using Facebook pages to spread malware
  • https://research.checkpoint.com/operation-tripoli/
• RATs and stealers rush through “Heaven’s Gate” with new loader
  • https://blog.talosintelligence.com/2019/07/rats-and-stealers-rush-through-heavens.html
• WATCH WHERE YOU BROWSE – THE FALLOUT EXPLOIT KIT STAYS ACTIVE
  • https://www.cybereason.com/blog/watch-where-you-browse-the-fallout-exploit-kit-stays-active
• Hancitor Campaigns Delivering Cobalt Strike as a Payload
  • https://twitter.com/James_inthe_box/status/1145765244645433344
  • https://twitter.com/VK_Intel/status/1145831874872381440
  • http://www.malware-traffic-analysis.net/2019/07/03/index.html
• FlawedAmmyy and the Case for Isolation
  • https://www.bromium.com/protect-before-you-detect-flawedammyy-and-the-case-for-isolation/
• Threat Spotlight: Ratsnif – New Network Vermin from OceanLotus
  • https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html
• Threat Spotlight: Sodinokibi Ransomware
  • https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html
• An Analysis of Godlua Backdoor
  • https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/
• OSX/CrescentCore: Mac malware designed to evade antivirus
  • https://www.intego.com/mac-security-blog/osx-crescentcore-mac-malware-designed-to-evade-antivirus/
• ANATOMY OF A SYN-ACK ATTACK
  • https://blogs.akamai.com/sitr/2019/07/anatomy-of-a-syn-ack-attack.html

Vulnerabilities and Exploits

• CVE-2019–13142: Razer Surround 1.1.63.0 EoP
  • https://posts.specterops.io/cve-2019-13142-razer-surround-1-1-63-0-eop-f18c52b8be0c
• Vulnerability Spotlight: Google V8 Array.prototype memory corruption vulnerability
  • https://blog.talosintelligence.com/2019/07/vulnerability-spotlight-Google-V8-June-19.html
• GOTCHA: Taking phishing to a whole new level
  • https://medium.com/intigriti/gotcha-taking-phishing-to-a-whole-new-level-72eda9e30bef
• The Curious Case of QueueUserAPC
  • https://posts.specterops.io/the-curious-case-of-queueuserapc-3f62e966d2cb

Breaches, Government, and Law Enforcement 

• Contractor’s server exposes data from Fortune 100 companies: Ford, Netflix, TD Bank
  • https://www.zdnet.com/google-amp/article/contractors-server-exposes-data-from-fortune-100-companies-ford-netflix-td-bank/?__twitter_impression=true
• LinkedIn is becoming China’s go-to platform for recruiting foreign spies
  • https://www.cyberscoop.com/linkedin-china-spies-kevin-mallory-ron-hansen/
• Operationalizing Cyberspace as a Military Domain | Lessons for NATO
  • https://www.rand.org/pubs/perspectives/PE329.html
• US Military Warns Companies to Look Out for Iranian Outlook Exploits
  • https://www.darkreading.com/us-military-warns-companies-to-look-out-for-iranian-outlook-exploits/d/d-id/1335150
• FBI Releases Warning on Sextortion Scams Targeting Teenagers
  • https://www.bleepingcomputer.com/news/security/fbi-releases-warning-on-sextortion-scams-targeting-teenagers/