Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Netskope: Threat Labs Report – October 2021
- CISA: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
- CISA: APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus
- FBI (PDF download): An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software
- Red Canary: Intelligence Insights: November 2021
- PhishLabs: Vishing Hybrid, Response-Based Attacks on the Rise
- NCSC (UK): NCSC Annual Review 2021
- NCSC (NZ): Cyber Threat Report for 2020/21 released
- F5: The Ins and Outs of Digital Fraud
Threat Research
- Cynet: Quakbot Strikes with QuakNightmare Exploitation
- Proofpoint: Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
- Microsoft: Iranian targeting of IT sector on the rise
- Mandiant: UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
- Mandiant: ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities
- Prodaft: [Conti] Ransomware Group In-Depth Analysis
- Truesec: ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
- DFIR Report: Exchange Exploit Leads to Domain Wide Ransomware
- Cleafy: SharkBot: a new generation of Android Trojans is targeting banks in Europe
- Zscaler: Return of Emotet malware
- IBM: BrazKing Android Malware Upgraded and Targeting Brazilian Banks
- Recorded Future: Cyber Threats to Veterans: Spam and Scams Exploit Support for Veterans
- ESET: Strategic web compromises in the Middle East with a pinch of Candiru
- Check Point: Uncovering MosesStaff techniques: Ideology over Money
- Cisco Talos: Attackers use domain fronting technique to target Myanmar with Cobalt Strike
- SANS ISC: Emotet Returns
- Blackberry: Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDos Attacks
- Blackberry: All Your Beacon Are Belong to Us: New BlackBerry Book Cracks Code of Cobalt Strike Threat Actors
- Intezer: New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
- SentinelLabs: Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma
- Trend Micro: Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
- VMware: Monitoring Winnti 4.0 C2 Servers for Two Years
- BushidoToken: Analysis of the latest PayPal phishing attacks
- Facebook: Taking Action Against Hackers in Pakistan and Syria
- JFrog: Malicious packages in PyPI use stealthy exfiltration methods
- Sucuri: Fake Ransomware Infection Spooks Website Owners
- Splunk: FIN7 Tools Resurface in the Field – Splinter or Copycat?
- ADV Intel: Corporate Loader “Emotet”: History of “X” Project Return for Ransomware
- Security Soup: Quick Post — Emotet: The Mummy Returns (Again)
Tools and Tips
- CrowdStrike: How to Build a Modern Mentorship in Cybersecurity
- SpecterOps: Active Directory Attack Paths — “Is everyone this bad?”
- RiskIQ: New E-Commerce Cybersecurity Guide Helps Brands be Proactive This Holiday Shopping Season
- Malwarebytes: The return of the Malwarebytes CrackMe
- Cisco Talos: Talos’ tips for staying safe while shopping online this holiday season
- Red Canary: Plan ahead with Red Canary’s new incident response guide
- CISA: NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures
- Secureworks: Top 5 Actionable Cyber Threat Intelligence Insights
- NVISO Labs: Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
- SANS: Consequence-Driven ICS Risk Management
- horsicq: horsicq/Detect-It-Easy: Program for determining types of files for Windows, Linux and MacOS.
- AGDC Services (video): Automate Qbot Malware String Decryption With Ghidra Script
- KA Forensics: Curated List of Digital Forensic Tools for Beginners
- seal9055: Memory Management
- f0wl: DanaConfig is a static configuration extractor implemented in Golang for the main component of DanaBot
- nccgroup: POC2021 – Pwning the Windows 10 Kernel with NFTS and WNF Slides
- Marcello: Taking the pain out of C2 infrastructure (Part 2)
- Luca Ebach: Guess who’s back – cyber.wtf
- LetsDefend: New Incident Responder Plan
- Knownsec 404 Team: Analysis of RDP Attack Surface and Its Security
- MagisterQuis: In-Memory-Only ELF Execution (Without tmpfs)
- Black Hills: DNS Over HTTPS for Cobalt Strike
- Hacking Articles: Best of Linux Commands for OSCP (Part 4)
- Rasta Mouse: ExternalC2.NET
- 0x90n: 0x90n/InfoSec-Black-Friday: All the deals for InfoSec related software/tools this Black Friday
Breaches, Government, and Law Enforcement
- The Hill: DHS announces new program to attract and retain cybersecurity talent
- Flashpoint: RAMP Ransomware’s Apparent Overture to Chinese Threat Actors
- Cyberscoop: Biden signs infrastructure bill that provides nearly $2 billion for cybersecurity
- Krebs: The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back – Krebs on Security
- FDIC: Agencies Approve Final Rule Requiring Computer-Security Incident Notification
- The Record: Conti ransomware gang suffers security breach
- US DOJ: Two Iranian Nationals Charged for Cyber-Enabled Disinformation and Threat Campaign Designed to Influence the 2020 U.S. Presidential Election
- Huntress: Investigating Unauthorized Access: Huntress QA Environment Incident
- Lawfare: REvil Is Down—For Now
- Data Breach Today: Money Laundering Cryptomixer Services Market to Criminals
- BBC: Evil Corp: ‘My hunt for the world’s most wanted hackers’
Vulnerabilities and Exploits
- CIS: A Vulnerability in Multiple NETGEAR Products Could Allow for Arbitrary Code Execution
- CrowdStrike: November 2021 Patch Tuesday: Updates and Analysis
- CISA: Vulnerability Summary for the Week of November 8, 2021
- Digital Shadows: Vulnerability Intelligence: What’s the Word in Dark Web Forums?
- Microsoft: Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs – Microsoft Security Response Center
- Hacking Articles: Windows Privilege Escalation: HiveNightmare