Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- FBI/CISA: Ransomware Attacks Straining Local US Governments and Public Services
- Trellix: Executive Summary: Organizations and Nation-State Cyber Threats
- Rapid7: The 2021 Vulnerability Intelligence Report
- Recorded Future: Ransomware Enforcement Operations in 2020 and 2021
- Check Point: State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage
- MITRE ATT&CK: Intelligence Failures of Lincoln’s Top Spies: What CTI Analysts Can Learn From the Civil War
Threat Research
- CrowdStrike: EMBER BEAR: Threat Actor Profile
- Proofpoint: School of Hard Knocks: Job Fraud Threats Target University Students
- Recorded Future: Social Engineering Remains Key Tradecraft for Iranian APTs
- SentinelOne: AcidRain | A Modem Wiper Rains Down on Europe
- Fortinet: New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits
- Cisco Talos: Transparent Tribe campaign uses new bespoke malware to target Indian government officials
- Sophos: Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers
- Zscaler: Analysis of BlackGuard – a new info stealer malware being sold in a Russian hacking forum
- ESET: Under the hood of Wslink’s multilayered virtual machine
- Kaspersky: Lazarus Trojanized DeFi app for delivering malware
- Malwarebytes: New UAC-0056 activity: There’s a Go Elephant in the room
- Symantec: Verblecon: Sophisticated New Loader Used in Low-level Attacks
- Blackberry: Threat Thursday: Malicious Macros Still Causing Chaos
- Intezer: New Conversation Hijacking Campaign Delivering IcedID
- Inquest: Cloud Atlas Maldoc
- Morphisec: Mars Stealer: Exclusive New Threat Research
- Morphisec: Remcos Trojan: Analyzing the Attack Chain
- Walmart: CobaltStrike UUID stager.
- Sucuri: New Wave of AnonymousFox Cron Jobs
- Trellix: PlugX: A Talisman to Behold
- Mandiant: Forged in Fire: A Survey of MobileIron Log4Shell Exploitation
- Cyber Geeks: A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla
- Michael Koczwara: LAPSUS$ TTP’s
- NCC group: Conti-nuation: methods and techniques observed in operations post the leaks
Tools and Tips
- CIS: Defending Against Russian Cyber-Attacks: Guidance for SLTTs
- CrowdStrike: CrowdStrike Services Identifies Microsoft 365 Logging Inconsistencies
- Dragos: Best Practices in OT Vulnerability Management: OT Vulnerability Prioritization is Different
- Dragos: Preventing Initial Access in Industrial Environments
- SANS ISC: Quickie: Parsing XLSB Documents
- Digital Shadows: The Power of Data Analysis in Threat Intelligence – Part 1: Data Collection and Data Mining
- Binary Defense: Breaking Down Password Storage Breakdowns
- VMware: Emotet C2 Configuration Extraction and Analysis
- NVISO Labs: Investigating an engineering workstation – Part 2
- OALABS: Angr Control Flow Deobfuscation
- Jack Humphries: Automating Brand Abuse Detection and Takedowns
- CYBER&RAMEN: Detecting COM Object Tasks by DarkHotel
- Computer Evidence Recovery: The Truth About USB Device Serial Numbers – (and the lies your tools tell)
- Arch Cloud Labs: Building A Simple Malware Analysis Pipeline In The Homelab Pt – 1
- MITRE: 11 Strategies of a World-Class Cybersecurity Operations Center
- Krabs on Security: Betabot in the Rearview Mirror
- Any Run: Dive into Analysis with Malware Configuration
- IppSec (video): PowerSIEM – Analyzing Sysmon Events with PowerShell – Dynamic Malware Analysis
Breaches, Government, and Law Enforcement
- BBC News: Lapsus$: Two UK teenagers charged with hacking for gang
- FBI: Global Operation Disrupts Business Email Compromise Schemes
- European Commisssion: European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework
- US DOJ: Cybercriminal Connected to Multimillion Dollar Ransomware Attacks Sentenced for Online Fraud Schemes
- US DOJ: Chinese National Charged With Acting As An Unregistered Agent Of The Chinese Government In The United States
- Dragos: How the 2022 National Defense Authorization Act (NDAA) Impacts ICS/OT Cybersecurity
- Krebs: Fake Emergency Search Warrants Draw Scrutiny from Capitol Hill
- The Record: How cybercrime remixed the Nigerian Music scene
- Lawfare: Congress Invests in National Cyber Resilience but Misses Important Opportunities in the Consolidated Appropriations Act
- CNN: ‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang
Vulnerabilities and Exploits
- Zyxel: Zyxel security advisory for authentication bypass vulnerability of firewalls
- SentinelOne: Pwning Microsoft Azure Defender for IoT | Multiple Flaws Allow Remote Code Execution for All
- Fortinet: Fresh TOTOLINK Vulnerabilities Picked Up by Beastmode Mirai Campaign
- BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-gitlab-vulnerability-lets-attackers-take-over-accounts/
- Trend Micro: An In-Depth Look at ICS Vulnerabilities Part 1
- FalconForce: Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint
- Datadog: Using the Dirty Pipe Vulnerability to Break Out From Containers
- Spring Cloud: About Spring Core Spring Beans Remote Code Warning Notice for Execution 0day Vulnerability
- CISA: Rockwell Automation Logix Controllers
- CISA: Vulnerability Summary for the Week of March 21, 2022
- CISA: Spring Releases Security Updates Addressing “Spring4Shell” and Spring Cloud Function Vulnerabilities
- Zsclaer: Spring Cloud Framework Vulnerabilities
- Flashpoint: What Is SpringShell? What We Know About the SpringShell Vulnerability [Updated]
- Symantec: Spring4Shell: New Zero-day RCE Vulnerability Uncovered in Java Framework
- Cisco Talos: Threat Advisory: Spring4Shell
- SANS ISC: Spring Vulnerability Update – Exploitation Attempts CVE-2022-22965
- Trustwave: Trustwave’s Action Response: CVE-2022-22965 and CVE-2022-22963
- PAN Unit42: CVE-2022-22965 (SpringShell): RCE Vulnerability Analysis and Mitigations
- TrustedSec: CVE 2022-22965 (Spring4Shell) Vulnerability
- Datadog: The Spring4Shell Vulnerability: Overview, Detection, and Remediation