Summary

— Welcome to Security Soup’s continuing news coverage of highlights from the previous week. This list is not intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!

Industry News and Reports

• UK Government: Cyber Security Breaches Survey 2019
  • https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/791940/Cyber_Security_Breaches_Survey_2019_-_Main_Report.PDF
• Google: Android Security 2018 Year In Review
  • https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf
• Bugcrowd: Security Leadership Study – Trends in Application Security
  • https://www.bugcrowd.com/security-leadership-study-trends-in-application-security/
• Debunking the Hacker Hype: The Reality of Widespread Blackouts – RSA 2019 Recap
  • https://dragos.com/blog/industry-news/debunking-the-hacker-hype-the-reality-of-widespread-blackouts-rsa-2019-recap/
• Effectively Applying Threat Intelligence: Trends From the 2019 SANS CTI Survey
  • https://www.recordedfuture.com/cyber-threat-intelligence-survey-2019/

Tools and Tips

• A few Ghidra tips for IDA users, part 0 – automatic comments for API call parameters
  • https://isc.sans.edu/forums/diary/A+few+Ghidra+tips+for+IDA+users+part+0+automatic+comments+for+API+call+parameters/24806/
• Beagle: Graph transforms for DFIR data & logs
  • https://isc.sans.edu/forums/diary/Beagle+Graph+transforms+for+DFIR+data+logs/24816/
• Step By Step Office Dropper Dissection
  • https://marcoramilli.com/2019/04/05/step-by-step-office-dropper-dissection/
• Ghidra SRE: The AZORult Field Test
  • https://blog.yoroi.company/research/ghidra-sre-the-azorult-field-test/
• RPC Bug Hunting Case Studies
  • https://www.fortinet.com/blog/threat-research/rpc-bug-hunting-case-studies—part-2.html
• Presentation: Powering Up on PowerShell
  • http://cyberfibers.com/presentations/
• Shodan Seeker: Command-line tool using Shodan API.
  • https://github.com/laincode/shodan-seeker
• How I use Any.Run
  • https://netsecninja.github.io/how-to/2019/04/01/how-I-use-any.run.html
• Introducing the Web Security Academy
  • https://portswigger.net/blog/introducing-the-web-security-academy
• Introducing PoshC2 v4.8 – includes C# dropper, task management and more! – Part One
  • https://labs.nettitude.com/blog/introducing-poshc2-v4-8-includes-c-dropper-task-management-and-more-part-one/
• Ghidra Plugin Development for Vulnerability Research – Part-1
  • https://www.somersetrecon.com/blog/2019/ghidra-plugin-development-for-vulnerability-research-part-1
• Simulating MITRE ATT&CK with RE:TERNAL
  • https://www.d3vzer0.com/simulating-mitre-attck-with-reternal/amp/?__twitter_impression=true
• Assess your data potential with ATT&CK Datamap
  • https://medium.com/@olafhartong/assess-your-data-potential-with-att-ck-datamap-f44884cfed11

Threat Research – Malware, Phishing, and other campaigns

• Mapping Out a Malware Distribution Network
  • https://www.bromium.com/mapping-malware-distribution-network/
• Ongoing DNS hijacking campaign targeting consumer routers
  • https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/
• ‘Broken’ File Hides Malware Designed to Break Its Targets
  • https://cofense.com/broken-file-hides-malware-designed-break-targets/
• Fake AV is Back: LaCie Network Drives Used to Spread Malware
  • https://isc.sans.edu/forums/diary/Fake+AV+is+Back+LaCie+Network+Drives+Used+to+Spread+Malware/24802/
• Emotet, Ryuk, and TrickBot join hands in new information stealing campaign
  • https://cyware.com/news/emotet-ryuk-and-trickbot-join-hands-in-new-information-stealing-campaign-64124863
• Actors Using New File Hosting Service to Launch Attacks
  • https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/malware-new-file-hosting-service/
• Ransomware Attackers turn to Google Ads after Dream Market Take Down
  • https://www.coveware.com/blog/dream-market-take-down-causes-ransomware-communication-chaos
• Evolving tactics of London Blue, a BEC threat group
  • https://www.agari.com/email-security-blog/london-blue-evolving-tactics/
• Xwo a python based Bot-scanner
  • https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner
• IcedID Banking Trojan Spruces Up Injection Tactics to Add Stealth
  • https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/
• Phishing Attack Uses SingleFile Browser Extension Tool to Obfuscate Malicious Log-in Pages
  • https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-attack-uses-browser-extension-tool-singlefile-to-obfuscate-malicious-log-in-pages/
• Tax-themed Email Campaigns Target 2019 Filers
  • https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-target-2019-filers
• Ursnif: The Latest Evolution of the Most Popular Banking Malware
  • https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/
• Hiding in Plain Sight: Researchers unearth Facebook cybercrime groups
  • https://blog.talosintelligence.com/2019/04/hiding-in-plain-sight.html
• “Fake Updates Campaign” pushes Chthonic banking trojan
  • http://www.malware-traffic-analysis.net/2019/04/05/index.html
• Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
  • https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
• Malware Campaigns Sharing Network Resources: r00ts.ninja
  • https://blog.sucuri.net/2019/04/malware-campaigns-sharing-network-resources-r00ts-ninja.html
• The Social Engineering Behind Operation Sharpshooter, Rising Sun
  • https://www.bromium.com/social-engineering-operation-sharpshooter-rising-sun/
• A ONE-TWO PUNCH OF EMOTET, TRICKBOT, & RYUK STEALING & RANSOMING DATA
  • https://www.cybereason.com/blog/one-two-punch-emotet-trickbot-and-ryuk-steal-then-ransom-data 
• Threat Actor Group using UAC Bypass Module to run BAT File
  • https://threatrecon.nshc.net/2019/03/28/threat-actor-group-using-uac-bypass-module-to-run-bat-file/
• Ammyy RAT Hide its Macro in Hidden WorkSheet…
  • https://tccontre.blogspot.com/2019/04/ammyy-rat-hide-its-macro-in-hidden.html?m=1
• Paliz, the PowerShell downloader in a ZIP and beyond
  • https://www.gdatasoftware.com/blog/2019/04/31607-paliz-powershell-downloader
• Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber”
  •  https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/
• Emotet malware analysis. Part 2.
  • https://persianov.net/emotet-malware-analysis-part-2
• CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders
  • https://www.carbonblack.com/2019/04/05/cb-threat-intelligence-notification-hunting-apt28-downloaders/

Breaches, Government, and Law Enforcement

• Bayer Reveals Detection and Containment of Winnti Digital Attack
  • https://www.tripwire.com/state-of-security/security-data-protection/bayer-reveals-its-detection-and-containment-of-digital-attack/
• 540 million records on Facebook users exposed by third-party apps
  • https://www.welivesecurity.com/2019/04/04/540-million-records-facebook-apps/
•  New York State Capital of Albany Hit by Ransomware Attack
  • https://www.albanyny.gov/newsandevents/news/19-03-31/City_of_Albany_Outlines_Service_Availability.aspx

Vulnerabilities and Exploits

•  Microsoft Edge and Internet Explorer Zero-Days
  • https://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-edge-and-internet-explorer-zero-days-allow-access-to-confidential-session-data/
• Multiple Vulnerabilities in Magento
  • https://blogs.akamai.com/sitr/2019/04/sirt-advisory-multiple-vulnerabilities-in-magento.html
• Researcher publishes Google Chrome exploit
  • https://www.zdnet.com/article/researcher-publishes-google-chrome-exploit/
• Analysis of a VB Script Heap Overflow (CVE-2019-0666)
  • https://www.malwaretech.com/2019/04/analysis-of-a-vb-script-heap-overflow.html 
• CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation
  • https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html