Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Kaspersky: New ransomware trends in 2022
- HP: HP Wolf Security Threat Insights Report Q1 2022
- Kevin Beaumont: BPFDoor — an active Chinese global surveillance tool
- Group-IB: Ransomware Uncovered 2021/2022
Threat Research
- CrowdStrike: Falcon OverWatch Detects Novel IceApple Framework
- Netskope: RedLine Stealer Campaign Using Binance Mystery Box Videos to Spread GitHub-Hosted Payload
- Proofpoint: Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques
- Recorded Future: Overview of the 9 Distinct Data Wipers Used in the Ukraine War
- Fortinet: Please Confirm You Received Our APT
- Cisco Talos: Bitter APT adds Bangladesh to their targets
- Cybereason: Cybereason vs. Quantum Locker Ransomware
- SANS ISC: TA578 using thread-hijacked emails to push ISO files for Bumblebee malware
- Red Canary: The Goot cause: Detecting Gootloader and its follow-on activity
- Secureworks: REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence
- Secureworks: COBALT MIRAGE conducts ransomware operations in US
- Morphisec: SYK Crypter Distributing Malware Families Via Discord
- PAN Unit42: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
- The DFIR Report: SEO Poisoning – A Gootloader Story
- Trend Micro: Examining the Black Basta Ransomware’s Infection Routine
- OALABS: Taking a look at Bumblebee loader
- Minerva Labs: A new BluStealer Loader Uses Direct Syscalls to Evade EDRs
- Sandfly Security: BPFDoor – An Evasive Linux Backdoor Technical Analysis
Tools and Tips
- ACSC: Protecting Against Cyber Threats to Managed Service Providers and their Customers
- Dragos: How to Improve OT Network Visibility
- SentinelOne: Putting Things in Context | Timelining Threat Campaigns
- VMware: Lateral Movement: What It Is and How to Block It
- SANS: Cloud Instance Metadata Services (IMDS): A misunderstood but deeply important feature to lock down when deploying workloads in cloud.
- Microsoft: Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
- Atomic Matryoshka: Emotet .xls Dropper
- Huntress: Evicting the Adversary
- Falcon Force: FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D
- TrustedSec: Diving into pre-created computer accounts
- Team Cymru: Sliver Case Study: Assessing Common Offensive Security Tools
- Zachary Szewczyk: SOC Metrics, Part III: Measures of Effectiveness
- Barak Aharoni: Shellcode Analysis
- Security Online: LEAF: Linux Evidence Acquisition Framework
- 13Cubed (youtube video): The Case of the Disappearing Scheduled Task
- eCrimeLabs: MISP Auto tagging: In Organizations We Trust
- Jon Baker: Where to begin? Prioritizing ATT&CK Techniques
- Splunk: Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022
Breaches, Government, and Law Enforcement
- U.S. DOJ: Justice Department Announces First Director of National Cryptocurrency Enforcement Team
- Krebs: DEA Investigating Breach of Law Enforcement Data Portal
- The Record: Costa Rica’s new president declares state of emergency after Conti ransomware attack
- Reversing Labs: Happy anniversary? An assessment of the Cybersecurity Executive Order one year on
- U.S. DOJ: Readout of US Attorney General Merrick B. Garland’s Meeting with Five Eyes Partners and Ukraine’s Prosecutor General
- European Council: Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union
Vulnerabilities and Exploits
- Horizon3: F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive
- Malwarebytes: F5 BIG-IP vulnerability is now being used to disable servers
- Cisco Talos: Threat Advisory: Critical F5 BIG-IP Vulnerability
- SANS ISC: Microsoft May 2022 Patch Tuesday
- SANS ISC: From 0-Day to Mirai: 7 days of BIG-IP Exploits
- CISA: Vulnerability Summary for the Week of May 2, 2022
- PAN Unit42: Threat Brief: CVE-2022-1388
- IFCR: Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)