Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Fortinet: Vaccine Passports for Sale on the Dark Web
- Kaspersky: Incident response analyst report 2020
- Dragos: Cyber Threats to Global Electric Sector on the Rise
- red canary: Intelligence Insights: September 2021
- PhishLabs: Financial Services: The Top Tools and Tactics Used to Execute Phishing Attacks
- CISA: CISA, FBI, and NSA Release Joint Cybersecurity Advisory on Conti Ransomware
- Intel471: Manufacturers should focus on protecting their supply chains
- Intrusion Truth: Hello Lionel Richie
- MIT Technology Review: 2021 has broken the record for zero-day hacking attacks
- Data Breach Today: Karma Seeks Free Publicity to Fulfill Ransomware Destiny
Threat Research
- CrowdStrike: Shining a Light on DarkOxide: A Technical Analysis
- Netskope: BazarLoader: Using LoLBins through Office Documents to Deliver Payloads
- eSentire: Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and…
- RiskIQ: “Bom” Skimmer is Magecart Group 7’s Latest Model
- Recorded Future: China-Linked TAG-28 Targets India’s “The Times Group” and Government
- ESET: FamousSparrow: A suspicious hotel guest
- Cisco Talos: Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs
- Cisco Talos: TinyTurla – Turla deploys new malware to keep a secret backdoor on victim machines
- Cybereason: Threat Analysis Report: PrintNightmare and Magniber Ransomware
- McAfee: Malicious PowerPoint Documents on the Rise
- Blackberry: Threat Thursday: BlackMatter RaaS – Darker Than DarkSide?
- DeepInstinct: LockBit 2.0 Ransomware Becomes LockFile Ransomware with a Never-Before-Seen Encryption Method
- SecureWorks: REvil ransomware reemerges after shutdown; universal decryptor released
- Google: Financially motivated actor breaks certificate parsing to avoid detection
- Morphisec: New Jupyter Evasive Delivery through MSI Installer
- Trend Micro: Examining the Cring Ransomware Techniques
- Trend Micro: Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage
- Trend Micro: Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
- Microsoft: Catching the big fish: Analyzing a large-scale phishing-as-a-service operation
- Eli Salem: The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”
Tools and Tips
- Netskope: A Real-World Look at AWS Best Practices: Logging
- CrowdStrike: Introducing SuperMem: A Free Incident Response Tool
- Kaspersky: New evasion technique in CLR and how to detect it
- SANS ISC: Video: Strings Analysis: VBA & Excel4 Maldoc
- SANS ISC: Excel Recipe: Some VBA Code with a Touch of Excel4 Macro
- expel: How we use VMRay to support Expel for Phishing
- SentinelLabs: Defeating macOS Malware Anti-Analysis Tricks with Radare2
- F5: Protecting Critical Systems with Isolation and Jump Boxes
- NVISO Labs: Building an ICS Firing Range – Part 2 (Defcon 29 ICS Village)
- Microsoft: A guide to combatting human-operated ransomware: Part 1
- Michael Koczwara: Monitoring Threat Actors Cobalt Strike C2 Infrastructure with Shodan
- Michael Koczwara: Hunting “Legit” Red Teams C2 Infrastructure
- Counter Craft: Escaping Docker Privileged Containers for Mining Crypto Currencies
- Curated Intelligence: Vermilion Strike YARA rules
- Microsoft: Hunting for OMI Vulnerability Exploitation with Azure Sentinel
- Vikas Singh: Create a Super Timeline with TACTICAL/IREC Triage Image
- InfoSecSherpa: Using Google Alerts
- Security Onion: Quick Malware Analysis: Qakbot pcap from 2021-09-20
- Sky Blueteam: Scanning VirusTotal’s firehose
- shabarkin: The Pointer was developed for hunting and mapping Cobalt Strike servers exposed to the Internet
- stuhli: Awesome Event IDs
- cyberdefenders: Obfuscated Malicious Document Challenge
Breaches, Government, and Law Enforcement
- The Washington Post: FBI held back ransomware decryption key from businesses to run operation targeting hackers
- The New York Times: Spies for Hire: China’s New Breed of Hackers Blends Espionage and Entrepreneurship
- US DOT: Treasury Takes Robust Actions to Counter Ransomware
- Flashpoint: Why the New AlphaBay Matters: Anonymity, Cryptocurrency, and the Future of Illicit Marketplaces
- Europol: 106 arrested in a sting against online fraudsters
- Krebs: Indictment, Lawsuits Revive Trump-Alfa Bank Story
- CISA: CISA Releases Guidance: IPv6 Considerations for TIC 3.0
- BleepingComputer: Second farming cooperative shut down by ransomware this week
- The Record: Hackers leak LinkedIn 700 million data scrape
- The Record: EU formally blames Russia for GhostWriter influence operation
- US DOJ: Illinois Man Convicted of Federal Criminal Charges for Operating Subscription-Based Computer Attack Platforms
- Chainalysis: Chainalysis in Action: OFAC Sanctions Russian Cryptocurrency OTC Suex that Received Over $160 million from Ransomware Attackers, Scammers, and Darknet Markets
Vulnerabilities and Exploits
- CIS: Multiple Vulnerabilities in VMware vCenter Server Could Allow for Remote Code Execution
- Malwarebytes: SonicWall warns users to patch critical vulnerability “as soon as possible”
- CISA: Vulnerability Summary for the Week of September 13, 2021
- CISA: VMware vCenter Server Vulnerability CVE-2021-22005 Under Active Exploit
- Habr: Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program
- The Record: Researcher dumps three iOS zero-days after Apple failed to fix issues for months
- SANS: What You Need to Know about CVE-2021-30860 aka FORCEDENTRY
- Huntress: The Top Four CVEs Attackers Exploit
- HackerChai: Analysis of CVE-2021-35211 (Part 1)
- VMware: VMSA-2021-0020: Questions & Answers
- Censys: VMware CVE-2021-22005 Technical & Impact analysis
- testanull: CVE-2021-22005_POC