Summary
— Hello, and welcome to Security Soup’s continuing news coverage of highlights from the previous week. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests.
— Highlights: FireEye/Mandiant released their yearly M-trends report. The NSA publicly released Ghidra, a free reverse engineering framework. Google gets into the SIEM/EDR business with the Backstory platform. A Chrome zero-day was discovered. And tis the season for tax-themed phishing threats.
Industry News and Reports
- New security platform: “Backstory” — introduced by Chronicle, a subsidiary of Alphabet/Google
- The 2019 FireEye Mandiant M-Trends Report
- Agari Report on Scarlet Widow, a Nigeria-based BEC group
- Malwarebytes Labs: “The Blinding Effect of Security Hubris on Data Privacy”
- Anti-Phishing Working Group (APWG): Phishing Activity Trends Report, Q4 2018
- Microsoft Security Intelligence Report Volume 24 (email registration required for access)
- Accenture’s “Cost of Cybercrime Study”
- “How China Exploits Social Media to Sway American Opinion” – from Recorded Future
- Financial Cyberthreats in 2018
- Email Security Risk Assessment – Q1 2019
Tools and Tips
- Ghidra: NSA publicly releases their long-running reverse engineering framework
- AutoMacTC: Automating Mac Forensic Triage
- Keep an Eye on Disposable Email Addresses
- 6 Spam, Phishing and Malicious Email Trends to Watch For
- How to: Stand up a fee Windows VM for analysis
- How to: Hunt for startup processes in RunOnce and Startup folders
- The Xtreme RAT’s config decoded
- Regipy: Automating registry forensics with python
- Suricata 4.1.3 released
- Parsing Firefox web history with EnCase
Vulnerabilities and Exploits
- Equation Editor exploits return with new techniques to evade detection
- Google Chrome Zero-Day
- PXE Dust: Checkpoint finds bug in Windows Deployment Services (WDS)
Breaches, Government, and Law Enforcement
- U.S. consumer data auctioned on underground forums
- Russia Passes Bill That Outlaws Disrespecting Russian Officials Online
- U.S. Federal Trade Commission (FTC) warns of scams linked to the Social Security Administration (SSA)
- U.S Internal Revenue Service (IRS) warns of the top “dirty dozen” scams for tax season
- Cybercriminals gain access to internal Citrix network
- Jackson County in Georgia paid $400,000 ransomware demand
Threats in the Wild – Malware, Phishing, and other campaigns
- APT40: FireEye covers a China-Nexus espionage threat group
- FlawedAmmyy’s recent use of XLM macros to evade detection
- New CryptoMix Clop variant targets networks instead individual systems
- Crowdstrike examines GandCrab affiliate model for targeted ransomware distribution
- How the Termite tool is leveraged in network attacks
- How Ursnif evades detection
- Analysis of a PowerShell backdoor
- Yoroi researchers examine a suspicious JavaScript file that evaded AV detection
- Malwarebytes spotlights Troldesh (aka Shade) ransomware
- The “SLUB” backdoor leverages GitHub and communicates via Slack
- Overview of “Lime” remote administration tool (RAT) in a phishing campaign
- Another look at the GoBrut (aka Stealth Worker) brute forcing botnet