Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Proofpoint: Mobile Malware is Surging in Europe: A Look at the Biggest Threats
- Google: An update on the threat landscape
- Recorded Future: 2021 Brand Intelligence Trends
- Check Point: Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of
- Cisco Talos: Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools
- Phish Labs: Erratic Phishing Volume Increases 28% in 2021
- VMware: Ransomware Attacks and Techniques – Analysis from VMware Threat Report
- The DFIR Report: 2021 Year In Review
- InfoSecSherpa: InfoSecSherpa’s News Roundup for Saturday, March 12, 2022
- Lumen: Emotet Redux
- BreachQuest: The Conti Leaks – Insight into a Ransomware Unicorn
- ODNI (PDF Download): Annual Threat Assessment of the U.S. Intelligence Community
Threat Research
- CrowdStrike: PROPHET SPIDER Exploits Citrix ShareFile
- Netskope: New Formbook Campaign Delivered Through Phishing Emails
- Proofpoint: The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates
- Sophos: Qakbot injects itself into the middle of your conversations
- Mandiant: Does This Look Infected? A Summary of APT41 Targeting US State Governments
- Fortinet: Fake Purchase Order Used to Deliver Agent Tesla
- Malwarebytes: Ransomware: February 2022 review
- Symantec: Daxin Backdoor: In-Depth Analysis, Part Two
- Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
- McAfee: Come Join the Scam Party
- Blackberry: Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software
- Secureworks: Excel Add-ins Deliver JSSLoader Malware
- Trend Micro: New Nokoyawa Ransomware Possibly Related to Hive
- ReversingLabs: Wiper Malware Targeting Ukraine: Evidence of Planning, and Haste
- Walmart: Diavol the Enigma of Ransomware
- TrueSec: TeamTNT Gang is Part of FIN12/Conti Syndicate
- OALABS: Hermetic Wizard Malware
Tools and Tips
- SpecterOps: Revisiting Phishing Simulations. Rethinking the way that we approach…
- Flashpoint: Brute Force and Credential Stuffing Attacks: How Cyber Threat Actors Gain Access to Accounts—Plus Best Practices for Detection and Prevention
- Dragos: Pivoting Between Corporate IT and OT Networks with Network Shell
- Cybereason: Threat Hunting: From LOLBins to Your Crown Jewels
- SANS ISC: Keep an Eye on WebSockets
- G DATA: Living off the land
- Trustwave: Bypassing MFA: A Pentest Case Study
- NVISO Labs: DeTT&CT : Mapping detection to MITRE ATT&CK
- SANS: How to Use Phishing Benchmarks Effectively to Assess Your Program
- FalconForce: EzETW — Got To Catch Them All….
- TrustedSec: Expanding the Hound: Introducing Plaintext Field to Compromised Accounts
- Willi Ballenthin: biodiff: introduction
- ASK Academy: The Art of Malware Analysis
- RedBluePurple: Bypassing EDR real-time injection detection logic
- GISSP: Analyzing Malicious Word Documents
- SANS (video): SOC Alert Tuning and False Positive Reduction: Setting Yourself Up for Success
- Robert Graham: Are You Prepared to Handle a Ransomware Attack?
Breaches, Government, and Law Enforcement
- ZDnet: Samsung confirms Galaxy source code breach but says no customer information was stolen
- Flashpoint: Understanding Russia’s “Sovereign Internet”: What Happens If Russia Isolates Itself from the Global Internet?
- Recorded Future: Inside China’s National Defense Mobilization Reform
- FBI: FBI Warns of the Impersonation of Law
- Krebs: Report: Recent 10x Increase in Cyberattacks on Ukraine
- Bleeping Computer: SEC wants public companies to report breaches within four days
- FinCEN: FinCEN Provides Financial Institutions with Red Flags on Potential Russian Sanctions Evasion Attempts
- Threatpost: NVIDIA’s Stolen Code-Signing Certs Used to Sign Malware
- Rapid7: New US Law to Require Cyber Incident Reports
- US DOJ: Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas
- US DOJ: Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms
- Reuters: Exclusive: US spy agency probes sabotage of satellite internet during Russian invasion, sources say
- The Record: Biden’s cryptocurrency executive order will help unify counter-ransomware strategy
Vulnerabilities and Exploits
- Armis: TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
- cm4all: The Dirty Pipe Vulnerability
- SANS ISC: Microsoft March 2022 Patch Tuesday
- CISA: Vulnerability Summary for the Week of February 28, 2022
- SentinelOne: Another Brick in the Wall: Uncovering SMM Vulnerabilities in HP Firmware
- PAN Unit42: Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities
- Team Cymru: Record breaking DDoS Potential Discovered: CVE-2022-26143
- Datadog: The Dirty Pipe Vulnerability: Overview, Detection, and Remediation