Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Cloudflare: DDoS Attack Trends for Q3 2021
- Kaspersky: Q3 2021 spam and phishing report
- CISA: FBI Releases PIN on Attacks Using Significant Financial Events for Extortion
- Digital Shadows: Initial Access Brokers in Q3 2021
- BleepingComputer: Popular ‘coa’ NPM library hijacked to steal user passwords
- Cyjax: Geopolitical and Cybersecurity Weekly Brief
- CCERT-FR: Identification of a new cybercriminal group: Lockean
- Harvard: It’s Time to Regulate Water and Wastewater Cybersecurity–Here’s How
- The Record: GitLab servers are being exploited in DDoS attacks in excess of 1 Tbps
Threat Research
- CrowdStrike: CARBON SPIDER Embraces Big Game Hunting, Part 2
- Proofpoint: Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery
- Blackberry: Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
- Blackberry: Threat Thursday: Karma Ransomware
- ZScaler: Spike in DanaBot Malware Activity
- Fortinet: Deep Dive into a Fresh Variant of Snake Keylogger Malware
- Symantec: BlackMatter: New Data Exfiltration Tool Used in Attacks
- Check Point: CPR alerts crypto wallet users of massive search engine phishing campaign that has resulted in at least half a million dollars being stolen
- Cisco Talos: Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
- Inquest: Adults Only Malware Lures
- GroupiB: The Darker Things – BlackMatter and their victims
- The DFIR Report: From Zero to Domain Admin
- Trend Micro: A Review and Analysis of 2021 Buer Loader Campaigns
- Team Cymru: Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns
- Cyber Geeks: A detailed analysis of the STOP/Djvu Ransomware
Tools and Tips
- Cisco Talos: The features all Incident Response Plans need to have
- SANS ISC: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Intezer: Conducting Digital Forensics Incident Response on a GitLab Server
- Deep Instinct: Understanding the Windows JavaScript Threat Landscape
- threat post: 3 Guideposts for Building a Better Incident-Response Plan
- Open Source DFIR: Use EVTX files on VirusTotal with Timesketch and Sigma (Part1)
- SANS: ICS Threat Hunting: “They’re Shootin’ at the Lights!”
- Active Countermeasures: Safelist Synchronization
- Sucuri: Network Firewall vs. Web Application Firewall (WAF)
- Cyjax: Cyjax research sees TeamTNT added to Mitre ATT&CK framework ⋆ Cyjax
- DFIRScience: Is this the fastest way to analyze Android?
- Lares: Sysmon for Linux Test Drive
- Finding Bad: Measuring User Behavior
- SEPA: Learnings from the cyber-attack
- Cyb3rSn0rlax: Detecting CONTI CobaltStrike Lateral Movement Techniques – Part 2
- Exploit Reversing: Malicious Document Analysis: Example 1
- Microsoft: Hunting for potential network beaconing patterns using Apache Spark via Azure Synapse – Part 1
- rivitna: Python programs for malware families (BlackMatter)
- sroberts: Getting Started with Synapse
- Cas van Cooten: Windows & Active Directory Exploitation Cheat Sheet and Command Reference
- Splunk: Detecting IcedID… Could It Be A Trickbot Copycat?
- Binary Reverse Engineering Blog: Analysing TA551/Shathak Malspam With Binary Refinery
- FalconForce: BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode
- Counter Craft: Shellcode Detection Using Real-Time Kernel Monitoring
- weslambert: Security Onion + Automation + Response Lab including n8n and Velociraptor
Breaches, Government, and Law Enforcement
- INTERPOL: INTERPOL-led operation takes down prolific cybercrime ring
- US Dept of State: Reward Offers for Information to Bring DarkSide Ransomware Variant Co-Conspirators to Justice
- Flashpoint: BlackMatter Ransomware Announces Its End, Leaving the Question of When—Not If—Its Operators Will Resurface
- ZDNet: Senators add CISA cyberattack/ransomware reporting amendment to defense bill
- Lawfare: The Pros and Cons of Mandating Reporting From Ransomware Victims
- Data Breach Today: US DOJ: Continue to Expect Arrests, Ransom Payment Seizures
- SSU: SSU identified FSB hackers who carried out more than 5,000 cyberattacks on state bodies of Ukraine (video)
- US DOJ: Jury Convicts Chinese Intelligence Officer of Espionage Crimes, Attempting to Steal Trade Secrets
- Breaking Defense: Nakasone: Cold War-style deterrence ‘does not comport to cyberspace’
Vulnerabilities and Exploits
- CISA: Cisco Releases Security Updates for Multiple Products
- CISA: Vulnerability Summary for the Week of October 25, 2021
- DHS: Binding Operational Directive 22-01 – Reducing the Significant Risk of Known Exploited Vulnerabilities
- Splunk: CISA’s Known Exploited Vulnerabilities Catalog and Splunk
- Malwarebytes: Google patches zero-day vulnerability, and others, in Android
- SANS ISC: Revisiting BrakTooth: Two Months Later
- SentinelLabs: CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
- ZecOps: How iOS Malware Can Spy on Users Silently?