Summary

— A collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted or intended to be an exhaustive source, but simply a collection of items I found interesting throughout my weekly research. The summaries are provided with links for the reader to drill down into particular topics according to their own interests. Thank you to all of the contributors for this great content!

Industry Reports and Miscellany

• Verizon 2019 “Data Breach Investigations Report” (DBIR)
  • https://enterprise.verizon.com/resources/reports/dbir/
• FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
  • https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
• Introducing the Bromium Threat Insights Report
  • https://www.bromium.com/introducing-bromium-threat-insights-report/
• F5 acquires NGINX: What to expect from the deal
  • https://www.zdnet.com/article/f5-acquires-nginx-what-to-expect-from-the-deal/
• Threat Roundup for May 3 to May 10
  • https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html
• Hacking Collective Claims Breaches of Three Major Anti-Virus Companies
  • https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies
• Over 1,900 breaches reported in the first three months of 2019, a new Q1 record
  • https://www.riskbasedsecurity.com/2019/05/over-1900-breaches-reported-in-the-first-three-months-of-2019-a-new-q1-record/

Tools and Tips

• DSSuite – A Docker Container with Didier’s Tools
  • https://isc.sans.edu/forums/diary/DSSuite+A+Docker+Container+with+Didiers+Tools/24926/
• Updates to ADB to support VBA stomping — Adaptive Document Builder: A framework for generating simulated malicious office documents.
  • https://github.com/haroldogden/adb/blob/master/README.md
• Microsoft recommended block rules
  • https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
• Evil Clippy: MS Office maldoc assistant
  • https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/
• Virtually Physical Access – Exploiting Virtual Machine Files on Penetration Tests
  • https://www.appsecconsulting.com/blog/virtually-physical-access-exploiting-virtual-machine-files-on-penetration-t
• Using Linux Process Environment Variables for Live Forensics
  • https://www.sandflysecurity.com/blog/using-linux-process-environment-variables-for-live-forensics/
• Submit malware samples to VMRay via MISP – Automation
  • https://www.vanimpe.eu/2019/05/07/submit-malware-samples-to-vmray-via-misp-automation/
• The new Windows Terminal, and the original Windows console host — all in the same place!
  • https://github.com/Microsoft/Terminal
• Unveiling the newest architecture for the Windows Subsystem for Linux: WSL 2
  • https://devblogs.microsoft.com/commandline/announcing-wsl-2/
• Finding Registry Malware Persistence with RECmd
  • https://digital-forensics.sans.org/blog/2019/05/07/malware-persistence-recmd/
• Darksearch – The 1st real Dark Web search engine (Darksearch vs Ahmia)
  • https://medium.com/@darksearch/darksearch-the-1st-real-search-engine-dark-web-darksearch-vs-ahmia-84852fd4c51b
• Atomic Red Team: T1490 – Inhibit System Recovery
  • https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md
• Parsing carved evtx records using EvtxECmd
  • https://www.kazamiya.net/en/ParseCarvedEVTX
• Sysdig for malware unpacking
  • https://github.com/Issif/sysdig-vs-malware/blob/master/README.md

Threat Research – Malware, Phishing, and other Campaigns in the Wild

• CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner With Rootkit
  • https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/
• Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
  • https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
• Going Beyond Malware: The Rise of “Living off the Land” Attacks
  • https://www.crowdstrike.com/blog/going-beyond-malware-the-rise-of-living-off-the-land-attacks/
• ATMitch: New Evidence Spotted In The Wild
  • https://blog.yoroi.company/research/atmitch-new-evidence-spotted-in-the-wild/
• GANDCRAB’S NEW EVASIVE INFECTION CHAIN
  • https://www.netskope.com/blog/old-scams-getting-new-life-in-the-cloud
• Turla LightNeuron: An email too far
  • https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/
• Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
  • https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/
• Vulnerable Apache Jenkins exploited in the wild
  • https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916/
• New Spam Attack Targets Romanian Corporation
  • https://www.fortinet.com/blog/threat-research/new-spam-attack-targets-romanian-corporation.html
• New KPOT v2.0 stealer brings zero persistence and in-memory features to silently steal credentials
  • https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal
• SilverTerrier – 2018 Nigerian Business Email Compromise
  • https://unit42.paloaltonetworks.com/silverterrier-2018-nigerian-business-email-compromise/
• PlaNETWORK: Face to Face with Cyber Crime
  • https://research.checkpoint.com/planetwork-face-to-face-with-cyber-crime/
• Sharepoint vulnerability exploited in the wild
  • https://www.alienvault.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild/
• RobbinHood Ransomware
  • https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/
• A Pony Hidden in Your Secret Garden
  • https://www.cyberark.com/threat-research-blog/a-pony-hidden-in-your-secret-garden/

Vulnerabilities and Exploits

• VMWare Fusion 11 Guest VM RCE
  • https://isc.sans.edu/podcastdetail.html?id=6486
• Vulnerability Spotlight: Multiple bugs in several Jenkins plugins
  • https://blog.talosintelligence.com/2019/05/jenkins-plugins-vulnerability-spotlight-may-19.html
• The worst of both worlds: Combining NTLM Relaying and Kerberos delegation
  • https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/

Breaches, Government, and Law Enforcement

• U.S. Charges Chinese Hacker For 2015 Anthem Data Breach
  •  https://thehackernews.com/2019/05/chinese-hacker-anthem-breach.html
• Wolters Kluwer Incident
  • https://wolterskluwer.com/company/newsroom/news/2019/05/media-statement—network-and-service-interruptions.html
  • https://blog.tekkersit.com/wolters-kluwer-hit-by-mega-cortex-ransomwar
• Binance Security Breach Update – Hackers Stole 7000 BTC
  • https://binance.zendesk.com/hc/en-us/articles/360028031711-Binance-Security-Breach-Update
• Administrators of DeepDotWeb Indicted for Money Laundering Conspiracy, Sales of Other Illegal Goods on the Darknet
  • https://www.justice.gov/opa/pr/administrators-deepdotweb-indicted-money-laundering-conspiracy-relating-kickbacks-sales
• Crossing a Cyber Rubicon? Overreactions to the IDF’s Strike on the Hamas Cyber Facility
  • https://www.lawfareblog.com/crossing-cyber-rubicon-overreactions-idfs-strike-hamas-cyber-facility
• CISA Alert (AA19-122A): New Exploits for Unsecure SAP Systems
  • https://www.us-cert.gov/ncas/alerts/AA19-122A
• Iranian Nation-State APT Groups – “Black Box” Leak
  • https://www.clearskysec.com/iranian-apt-black-box/
• Malware Analysis Report (AR19-129A) | MAR-10135536-21 – North Korean Tunneling Tool: ELECTRICFISH
  • https://www.us-cert.gov/ncas/analysis-reports/AR19-129A