Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Mimecast (registration required): State of Ransomware Readiness Report
- Recorded Future: The Business of Fraud:Botnet Malware Dissemination
- Kaspersky: Kaspersky Q3 2021 DDoS attack report
- Kaspersky: Analytical report on streaming-related cyberthreats in 2020 and 2021
- Dragos: The 2021 State of Industrial Cybersecurity
- PhishLabs (registration required): New Quarterly Threat Trends & Intelligence Report Available
- Expel: Top Attack Vectors: October 2021
- EUROPOL: Internet Organised Crime Threat Assessment (IOCTA) 2021
- Cyjax: Ransomware Review – October 2021
- Vulnerability: Observed Malware Campaigns – October 2020
- Sophos: Sophos 2022 Threat Report: Malware, Mobile, Machine learning and more!
- US DOD (pdf download): DOD 2021 Report on Military and Security Developments Involving the People’s Republic of China
Threat Research
- Google TAG: Analyzing a watering hole campaign using macOS exploits
- Microsoft: HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks
- Fortinet: To Joke or Not to Joke: COVID-22 Brings Disaster to MBR
- Malwarebytes: A multi-stage PowerShell based attack targets Kazakhstan
- Cybereason: THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware
- McAfee: The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.
- Blackberry: Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim’s Bank Accounts
- PAN Unit42: A Peek into Top-Level Domains and Cybercrime
- PAN Unit42: KdcSponge, NGLite, Godzilla Webshell Used in Targeted Attack Campaign
- Microsoft: Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus
- Trend Micro: QAKBOT Loader Returns With New Techniques and Tools
- Trend Micro: Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT
Tools and Tips
- CrowdStrike: Automated Deobfuscation of Ploutus ATM Malware
- SpecterOps: Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications
- Agari: SMTPS: How to Secure SMTP with SSL/TLS (Which Port to Use)
- SANS ISC: Obfuscated Maldoc: Reversed BASE64
- Red Canary: The dark side of Microsoft Remote Procedure Call protocols
- Open Source DFIR: Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)
- NVISO Labs: Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
- SANS: ICS Threat Hunting: “They’re Shootin’ at the Lights!” – PART 2
- Mehmet Ergene: Detecting NTLM Relay Attacks
- Mandiant: Fuzzing Image Parsing in Windows, Part Three: RAW and HEIF
- DFIRScience: How to add artifacts to ALEAPP
- CryptoCypher: Threat group attribution with open-source datasets
- ahmedkhlief: APT-Hunter is Threat Hunting tool for windows event logs
- The Daily Swig: Mitre-for-malware project MalAPI seeks community support
- ch33r10: Paint it, Blue: Transitioning from CTI to Hunt
- teachyourselfinfosec.com: Teach Yourself Infosec
- Marco Ramilli: CONTI Ransomware: Cheat Sheet
- Omri Baso: This is how I bypassed almost every EDR!
- StuckinVim-Forever: Qbot-Strings-Decrypter
- blackPerl (video): Windows Forensics Analysis- Part2, Identify Recon- Delivery- Persistence
- SANS (video): Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike
- zeronetworks: rpcfirewall: Install the RPC Firewall and configure it to audit all remote RPC calls
- Didier Stevens: cs-extract-key.py: a tool designed to extract cryptographic keys from Cobalt Strike beacon process memory dumps
- OALabs (video): Identify Unknown Malware Using Four Free Threat Intelligence Services
- JMP ESP: Malware Analysis: Syscalls
- 3CORESec: MAL-CL: MAL-CL (Malicious Command-Line): aims to collect and document real world and most common “malicious” command-line executions of different tools and utilities while providing actionable detections and resources for the blue team.
- olafhartong: sysmon-cheatsheet: All sysmon event types and their fields explained
- Security Onion: Quick Malware Analysis: TR QAKBOT QBOT Cobalt Strike pcap from 2021-11-04
- Mathieu Saulnier: Phishing Playbook
Breaches, Government, and Law Enforcement
- ZDNet: US President Biden signs law to ban Huawei and ZTE from receiving FCC licences
- Krebs: REvil Ransom Arrest, $6M Seizure, and $10M Reward
- US DOJ: Russian Cybercriminal Sentenced to 10 Years in Prison for Digital Advertising Fraud Scheme
- Newsweek: FBI Email System Reportedly Hacked to Send Fake DHS Cyberattack Messages
- BleepingComputer: New bill sets ransomware attack response rules for US financial orgs
- The Record: US detains crypto-exchange exec for helping Ryuk ransomware gang launder profits
- The Record: US Treasury sanctions crypto-exchange Chatex for links to ransomware payments
- EUROPOL: FIVE AFFILIATES TO SODINOKIBI/REVIL UNPLUGGED
- Lawfare: Initiative Persistence and the Consequence for Cyber Norms
- Atlantic Council: Surveillance Technology at the Fair: Proliferation of Cyber Capabilities in International Arms Markets
- Global Times: GT investigates: Hacking China’s medical institutes at COVID-19 outbreak, targeting aerospace firms during China’s space missions – Cyberattacks from India disclosed
- Bloomberg: Crypto Money Laundering Happening in Tallest Building in Moscow, Experts Say
Vulnerabilities and Exploits
- Data Breach Today: Firm Held Onto Palo Alto VPN Zero-Day for 11 Months
- The Hacker News: Palo Alto Warns of Zero-Day Bug in Firewalls Using GlobalProtect Portal VPN
- arsTechnica: Researchers wait 12 months to report vulnerability with 9.8 out of 10 severity rating
- Randori: Zero-Day Disclosure: PAN GlobalProtect CVE-2021-3064
- CISA: CISA Releases Advisory on Vulnerabilities in Multiple Data Distribution Service Implementations
- CISA: Vulnerability Summary for the Week of November 1, 2021
- CISA: Palo Alto Networks Release Security Updates for PAN-OS
- SANS ISC: Microsoft November 2021 Patch Tuesday
- ACSC: Active exploitation of vulnerable Sitecore Experience Platform content management systems