Weekly News Roundup — March 3 to 9

Summary

— Hello, and welcome to Security Soup’s continuing news coverage of highlights from the previous week. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests.

— Highlights: FireEye/Mandiant released their yearly M-trends report. The NSA publicly released Ghidra, a free reverse engineering framework. Google gets into the SIEM/EDR business with the Backstory platform. A Chrome zero-day was discovered. And tis the season for tax-themed phishing threats.

Industry News and Reports

• New security platform: “Backstory” — introduced by Chronicle, a subsidiary of Alphabet/Google
  • https://medium.com/@chroniclesec/introducing-backstory-45dd9b4d4a6d
• The 2019 FireEye Mandiant M-Trends Report
  • https://content.fireeye.com/m-trends
• Agari Report on Scarlet Widow, a Nigeria-based BEC group
  • https://www.agari.com/cyber-intelligence-research/whitepapers/scarlet-widow-romance-scams.pdf
• Malwarebytes Labs: “The Blinding Effect of Security Hubris on Data Privacy”
  • https://resources.malwarebytes.com/files/2019/03/190226-MWB-Security-Hubris-on-Data-Privacy-v2.pdf
• Anti-Phishing Working Group (APWG): Phishing Activity Trends Report, Q4 2018
  • https://docs.apwg.org/reports/apwg_trends_report_q4_2018.pdf
• Microsoft Security Intelligence Report Volume 24 (email registration required for access)
  • https://info.microsoft.com/ww-landing-M365-SIR-v24-Report-eBook.html
• Accenture’s “Cost of Cybercrime Study”
  • https://www.accenture.com/t20190305T185301Z__w__/us-en/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50
• “How China Exploits Social Media to Sway American Opinion” – from Recorded Future
  • https://www.recordedfuture.com/china-social-media-operations/
• Financial Cyberthreats in 2018
  • https://securelist.com/financial-cyberthreats-in-2018/89788/
• Email Security Risk Assessment – Q1 2019
  • https://www.mimecast.com/resources/white-papers/dates/2019/2/mimecast-email-security-risk-assessment-quarterly-report/

Tools and Tips

• Ghidra: NSA publicly releases their long-running reverse engineering framework
  • https://www.nsa.gov/resources/everyone/ghidra/
• AutoMacTC: Automating Mac Forensic Triage
  • https://www.crowdstrike.com/blog/automating-mac-forensic-triage/
• Keep an Eye on Disposable Email Addresses
  • https://isc.sans.edu/forums/diary/Keep+an+Eye+on+Disposable+Email+Addresses/24716/
• 6 Spam, Phishing and Malicious Email Trends to Watch For
  • https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/6-spam-phishing-and-malicious-email-trends-to-watch-for/
• How to: Stand up a fee Windows VM for analysis
  • https://zeltser.com/free-malware-analysis-windows-vm/#
• How to: Hunt for startup processes in RunOnce and Startup folders
  • https://blog.menasec.net/2019/03/how-to-hunt-for-processes-starting-from.html?m=1
• The Xtreme RAT’s config decoded
  • https://malwareconfig.com/config/1b087a185cf42a6fbff36dd22fbbe81d/
• Regipy: Automating registry forensics with python
  • https://medium.com/dfir-dudes/regipy-automating-registry-forensics-with-python-b170a1e2b474
• Suricata 4.1.3 released
  • https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/
• Parsing Firefox web history with EnCase
  • https://www.dfir.co.za/2019/03/09/encase-you-were-hoping-to-parse-firefox/

Vulnerabilities and Exploits

• Equation Editor exploits return with new techniques to evade detection
  • https://www.mimecast.com/blog/2019/03/the-return-of-the-equation-editor-exploit–difat-overflow/
• Google Chrome Zero-Day
  • https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
• PXE Dust: Checkpoint finds bug in Windows Deployment Services (WDS)
  • https://research.checkpoint.com/pxe-dust-finding-a-vulnerability-in-windows-servers-deployment-services/

Breaches, Government, and Law Enforcement

• U.S. consumer data auctioned on underground forums
  • https://krebsonsecurity.com/2019/03/hackers-sell-access-to-bait-and-switch-empire/
• Russia Passes Bill That Outlaws Disrespecting Russian Officials Online
  • https://www.bleepingcomputer.com/news/security/russia-passes-bill-that-outlaws-disrespecting-russian-officials-online/
• U.S. Federal Trade Commission (FTC) warns of scams linked to the Social Security Administration (SSA)
  • https://www.consumer.ftc.gov/blog/2019/03/getting-calls-ssa
• U.S Internal Revenue Service (IRS) warns of the top “dirty dozen” scams for tax season
  • https://www.irs.gov/newsroom/irs-kicks-off-annual-list-of-most-prevalent-tax-scams-agency-warns-taxpayers-of-pervasive-phishing-schemes-in-its-dirty-dozen-campaign
• Cybercriminals gain access to internal Citrix network
  • https://www.citrix.com/blogs/2019/03/08/citrix-investigating-unauthorized-access-to-internal-network/
• Jackson County in Georgia paid $400,000 ransomware demand
  • https://www.zdnet.com/google-amp/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/?__twitter_impression=true

Threats in the Wild – Malware, Phishing, and other campaigns

• APT40: FireEye covers a China-Nexus espionage threat group
  • https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
• FlawedAmmyy’s recent use of XLM macros to evade detection
  • https://seguranca-informatica.pt/flawedammyy-leveraging-undetected-xlm-macros-as-an-infection-vehicle/
• New CryptoMix Clop variant targets networks instead individual systems
  • https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/new-cryptomix-clop-ransomware-variant-claims-to-target-networks/
• Crowdstrike examines GandCrab affiliate model for targeted ransomware distribution
  • https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
• How the Termite tool is leveraged in network attacks
  • https://www.alienvault.com/blogs/labs-research/internet-of-termites
• How Ursnif evades detection
  • https://www.bromium.com/how-ursnif-evades-detection/
• Analysis of a PowerShell backdoor
  • https://threatrecon.nshc.net/2019/03/07/sectord02-powershell-backdoor-analysis/
• Yoroi researchers examine a suspicious JavaScript file that evaded AV detection
  • https://blog.yoroi.company/research/evading-av-with-javascript-obfuscation/
• Malwarebytes spotlights Troldesh (aka Shade) ransomware
  • https://blog.malwarebytes.com/threat-analysis/2019/03/spotlight-troldesh-ransomware-aka-shade/
• The “SLUB” backdoor leverages GitHub and communicates via Slack
  • https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/
• Overview of “Lime” remote administration tool (RAT) in a phishing campaign
  • https://cofense.com/lime-rat-caught-eye-versatile-malware-works/
• Another look at the GoBrut (aka Stealth Worker) brute forcing botnet
  • https://www.fortinet.com/blog/threat-research/new-stealth-worker-campaign-creates-a-multi-platform-army-of-bru.html