Hello and welcome to Sec Soup, where the weekly newsletter has a collection of infosec links to Tools & Tips, Threat Research, and more! The focus trends toward DFIR and threat intelligence, but general information security and hacking-related topics are included as well. This list is not vetted nor intended to be an exhaustive source. Keeping up with the enormous volume of security-related information is a daunting task, but this is my way of filtering the most useful items and improving the signal to noise ratio. Happy Reading!
Industry Reports, News, and Miscellany
- Microsoft: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
- Check Point: The New Era of Hacktivism – State-Mobilized Hacktivism Proliferates to the West and Beyond
- Red Canary: A brief history of security testing
- Krebs: Fake CISO Profiles on LinkedIn Target Fortune 500s
- CISA: Hurricane-Related Scams
Threat Research
- CrowdStrike: CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer
- Mandiant: Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors
- Recorded Future: Semiconductor Companies Targeted by Ransomware
- Lumen: Chaos is a Go-based Swiss army knife of malware
- Microsoft: ZINC weaponizing open-source software
- Zscaler: Agent Tesla RAT Delivered by Quantum Builder With New TTPs
- ESET: Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
- Fortinet: Ransomware Roundup: Bisamware and Chile Locker
- Securelist: Prilex: Brazilian PoS malware evolution
- Securlist: NullMixer drops Redline Stealer, SmokeLoader and other malware
- Symantec: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
- Cisco Talos: New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
- Blackberry: DJVU: The Ransomware That Seems Strangely Familiar…
- PAN Unit42: More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID
- The DFIR Report: BumbleBee: Round Two
- BushidoToken: Brute Ratel cracked and shared across the Cybercriminal Underground
- Walmart: Diavol resurfaces
- Sucuri: New Malware Variants Serve Bogus CloudFlare DDoS Captcha
- Team Cymru: Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
- Cluster25: In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants
Tools and Tips
- SpecterOps: On Detection: Tactical to Functional
- Mandiant: Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors
- SANS ISC: PNG Analysis
- SANS ISC: Easy Python Sandbox Detection
- Open Source DFIR: Plaso 20220930 released
- PAN Unit42: Hunting for Unsigned DLLs to Find APTs
- SANS: Emulate Shellcode with Radare2
- Trusted Sec: Hardening Backups Against Ransomware
- Collier Jam: Driving Threat Intelligence the Right Way
- Securonix: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors
- Microsoft: Forensic artifacts in Office 365 and where to find them
- Gigamon: Investigating Web Shells
- VirusTotal: VT Collections: citius, altius, fortius – communiter
- gkucherin: de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#
Breaches, Government, and Law Enforcement
- Recorded Future: 1 Key for 1 Lock: The Chinese Communist Party’s Strategy for Targeted Propaganda
- FCC: FCC To Start New Robotext Proceeding
- Digital Shadows: Dark Web Recruitment: How Ransomware Groups Hire Cybercriminal Talent
- BleepingComputer: Germany arrests hacker for stealing €4 million via phishing attacks
- The Record: U.S. fails in bid to extradite Brit for helping North Korea evade sanctions with cryptocurrency
- Data Breach Today: Microsoft 365 Email Hack Led to American Airlines Breach
- Trellix: Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence
- Reuters: How the CIA failed Iranian spies in its secret war with Tehran
Vulnerabilities and Exploits
- Microsoft: Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
- GTSC: Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server
- DoublePulsar: ProxyNotShell— the story of the claimed zero days in Microsoft Exchange
- Fortinet: Microsoft Exchange 0-Day Vulnerability Updates
- Securelist: https://securelist.com/the-secrets-of-schneider-electrics-umas-protocol/107435/
- Cisco Talos: Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
- SANS ISC: Exchange Server 0-Day Actively Exploited
- Expel: Emerging Threats: Microsoft Exchange On-Prem Zero-Days
- Krebs: Microsoft: Two New 0-Day Flaws in Exchange Server
- Nucleus: CISA Know Exploited Vulnerabilities Breakdown