Teaching in Canberra this coming week so my sections may be links only, we’ll see how I go.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Bryan Ambrose at Data Digitally demonstrates a process for acquiring a memory image from a remote host
Retrieving a Memory image Remotely - Dr. Neal Krawetz at ‘The Hacker Factor Blog’ continues his investigation into the AvtoVAZ groups photograph alterations
Fraud and Deception (Part 5): Distribution - Mattia Epifani posts on the Elcomsoft blog describing the large amount of data that can be discerned from an Apple Watch
Apple Watch Forensics 02: Analysis - Gary at Salt Forensics shares details of some interesting information that could be identified in previous versions of the iOS Evernote app, including the geolocation of a notes creator.
Evernote for iOS - Mike Williamson walks through the decryption process of files stored within the Private Photo Vault iOS app, given access to the master key which is found in the keychain.
Photo Vault app still pwnable in 2019? An adventure in iOS RE - SalvationData share a case study on using their SPF tool to acquire a physical image of a Qualcomm/MTK device
[Case Study] Mobile Forensics: Physical Extraction for Qualcomm and Mediatek Smartphone
THREAT INTELLIGENCE/HUNTING
- Web shells were discussed in multiple threat hunting blogs this week
- Mor Levi, Assaf Dahan, and Amit Serper at Cybereason uncovered a Chinese-affiliated actor targeting specific persons by obtaining CDR records through telco compromise. (note from Lodrina: you can read the blog or check out my interview with the researchers at the top of the post)
Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers - Ash Abdalhalim gives an intro to web shells and how to hunt for them including timestamp and event indicators.
Caught in the Web of Shells?
- Mor Levi, Assaf Dahan, and Amit Serper at Cybereason uncovered a Chinese-affiliated actor targeting specific persons by obtaining CDR records through telco compromise. (note from Lodrina: you can read the blog or check out my interview with the researchers at the top of the post)
- Adam at Hexacorn shares a sneaky injection technique involving popup boxes.
Talking to, and handling (edit) boxes - Kim Crawley at AlienVault Security Essentials Blog covers basics around employee insider threats.
An overview on insider threat awareness - Dave Kennedy at Binary Defense builds on recent Sysmon discussions with rule creation examples.
Using Sysmon and ETW For So Much More - CERT EU announced a new threat intel platform called OpenCTI
Check out @CERTEU’s Tweet - Martin Korman and Hadar Yudovich at DFIR Dudes identified that the Windows Error Reporting files also contain a SHA1 hash of the crashed process in Win10 which can be used for hunting.
AmCache is not alone; Using .WER files to hunt evil - Sergio Caltagirone at dragos gives examples about the importance of securing ICS due to the impact on human lives.
Escalating Cyber Tensions Risk Human Life - Anton at Have You Secured? shows how to set up Elastic SIEM using Elastic and Kibana.
(Very) Basic Elastic SIEM Set up - Marco Ramilli compares coding similarities between MuddyWater and APT34 samples.
Similarities and differences between MuddyWater and APT34 - Casey Smith and Michael Haag at Red Canary examine a malicious driver establishing persistence and pulling down DDoS and monero miner components.
Tracking driver inventory to expose rootkits - Threat Recon examines threat actor SectorC08 targeting Ukrainians through fake legal/military documents.
SectorC08: Multi-Layered SFX in Recent Campaigns Target Ukraine
UPCOMING WEBINARS/CONFERENCES
- John Gamble at Corelight introduces the July 9 webcast about IR and threat hunting in AWS.
Bring Network Security Monitoring to the Cloud with Corelight and Amazon VPC Traffic Mirroring - DME Forensics will be hosting a continuation of their previous webinar of export formats on July 18, 2019 2:00 pm MST
July Feature Webinar: DVR Examiner Export Formats II - Intezer hosts a webinar July 10, 2019 on Linux HiddenWasp malware.
Intezer Webinar on Linux malware
PRESENTATIONS/PODCASTS
- Veronica Schmitt interviewed BlakDayz for her “Behind the Incident” podcast/Youtube series
Behind The Incident – BlakDayz - Black Hills Infosec shared a new card game that they’ve developed, Backdoors & Breaches.
Introducing: Backdoors & Breaches – Incident Response Card Game from Black Hills InfoSec - There were a few videos shared on the Blackbag Technologies YouTube channel this week
- On this week’s Digital Forensic Survival Podcast, Michael describes the OWASP vulnerability category for “components with known vulnerabilities.”
DFSP # 175 – OWASP: Components with Known Vulnerabilities - Dragos gave a recap of their recent webinar about securing ICS including how to hunt and respond to threats.
Rising Cyber Escalation Between US, Iran, and Russia: ICS Threats and Response - MD5 shared a short video about their upcoming release of VFC
VFC5 Short Demo Video - SANS shared the presentations from the recent Security Operations Summit
Security Operations Summit & Training 2019 (June 2019)
MALWARE
- Exploit Kits were back in a big way this week across multiple blogs
- Brad Duncan at SANS ISC looks at the Rig EK delivering a trojan.
Rig Exploit Kit sends Pitou.B Trojan, (Tue, Jun 25th) - Jérôme Segura at Malwarebytes Labs also looks at the rise of the Sundown exploit kit delivering ransomware.
GreenFlash Sundown exploit kit expands via large malvertising campaign - Nick Biasini with Caitlyn Hammond at Cisco Talos look at exploit kits including Spelevo EK.
Welcome Spelevo: New exploit kit full of old tricks - Bianca Soare at Heimdal Security Blog looks at how the Sundown exploit kit exploits unpatched Adobe and IE to deliver ransomware.
Security Alert: Malvertising campaign using SundownEK drops SEON ransomware - Joseph C Chen at TrendMicro also looks at the Sundown EK, beginning with the ShadowDate campaign back in 2015.
ShadowGate Returns to Worldwide Operations With Evolved Greenflash Sundown Exploit Kit
- Brad Duncan at SANS ISC looks at the Rig EK delivering a trojan.
- Arsh Arora at CyberCrime & Doing Time looks at a TrickBot sample being dropped by IcedID
TrickBot: New Injects, New Host - Fortinet posted a few times this week
- Joie Salvio examines the announced supposed GandCrab shutdown.
GandCrab Threat Actors Retire…Maybe - Rommel Joven looks at MageCart credit card skimmers.
Inter: Skimmer For All - The FortiGuard SE group uncovered a spam campaign delivering the Ursnif banking trojan including a high concentration of targets in the Netherlands.
Undocumented Excel Variable Used in Malicious Spam Run Targeting Japanese Users
- Joie Salvio examines the announced supposed GandCrab shutdown.
- G Data SecurityBlog looks at a Silentbruter trojan submission to app.any.run which includes Windows and Linux binaries on the C2.
A further look at the”Silentbruter” malware – Internal folder structures revealed - The Intezer blog shares how the HiddenWasp trojan/rootkit targets Linux systems.
HiddenWasp and the Emergence of Linux-based Threats - Jérôme Segura at Malwarebytes Labs uncovers the purpose behind a fake jquery campaign, apparently targeting mobile users.
Fake jquery campaign leads to malvertising and ad fraud schemes - Darren Fitzpatrick, John Fokker, and Eamonn Ryan at McAfee Labs reflect on RDP security in light of recent RDP exploits.
RDP Security Explained - Abhinav Singh at Netskope looks at malspam with an .iso attachment delivering RATs.
LokiBot & NanoCore being distributed via ISO disk image files - Didier Stevens at NVISO Labs examines Symbolic Links (SYLK, .slk) with Excel data which can execute code.
Malicious SYLK Files with MS Excel 4.0 Macros - Patrick Wardle at Objective-See did a three part series on Firefox dropping the NetWire and focusing on a cryptocurrency exchange.
- Stefan Achleitner and Michael Huo at Palo Alto Networks look at X-VPN which contains anti censorship and anti traffic monitoring features.
Evasion of Security Policies by VPN Clients Poses Great Risk to Network Operators - Rob VandenBrink had a couple of posts on processes at the SANS ISC Handler Diaries
- Rob shares a script to audit running processes and find outliers that may not belong.
The Other Side of CIS Critical Control 2 – Inventorying *Unwanted* Software, (Wed, Jun 26th) - Next Rob looks at correlating processes using PowerShell.
Finding the Gold in a Pile of Pennies – Long Tail Analysis in PowerShell, (Thu, Jun 27th) - And how to check suspicious process hashes in VT using PowerShell.
Verifying Running Processes against VirusTotal – Domain-Wide, (Fri, Jun 28th)
- Rob shares a script to audit running processes and find outliers that may not belong.
- There were a few posts on Securelist this week
- Tatyana Shishkova looks at the Riltok banking trojan primarily targeting Russia and delivered by SMS.
Riltok mobile Trojan: A banker with global reach - They examine Android spyware related to ViceLeaker malware.
ViceLeaker Operation: mobile espionage targeting Middle East - Konstantin Zykov looks at what may be targeted ATM malware that Securelist dubs ATMJaDi.
Criminals, ATMs and a cup of coffee
- Tatyana Shishkova looks at the Riltok banking trojan primarily targeting Russia and delivered by SMS.
- Augusto Remillano II and Mark Vicente at TrendMicro look at a Golang spreader exploiting ThinkPHP, Drupal, and Atlassian Confluence.
Golang-based Spreader Used in a Cryptocurrency-Mining Malware Campaign - Tamas Boczan at VMRay goes deep into one Ursnif variant.
Analyzing Ursnif’s Behavior Using a Malware Sandbox
MISCELLANEOUS
- Marco Fontani at Amped demonstrates how to use Amped Authenticate to batch process a number of images
Need to Process a Lot of Images But Time Is Short? Don’t Worry! Amped Authenticate Runs a Custom Set of Filters Offline and Caches Results For You - Brett Shavers shares some recommendations from getting some balance in your life
Add a Dab of Balance in your DFIR World - Keren Carmeli at Cellebrite describes some of the benefits of using their Virtual Analyzer tool
3 Reasons Why Virtual Analyzer Should Be in Every Digital Investigator’s Toolbox - Christian at IT-Dad shares his thoughts on the Digital Forensics course on OpenLearn
Kostenlose IT-Forensik Kurse Teil X – OpenLearn - Cyber Forensicator share the link for the PoSH Hunter CTF
The PoSh Hunter CTF - There’s a post on the Cyber Triage blog demonstrating how to use the tool to acquire arbitrary files from a system during an examination
How to Collect Arbitrary Files at Any Time During Incident Response - Oleg Afonin at Elcomsoft describes the needs and benefits of taking training to interpret the artefacts extracted from devices
Digital Forensics: Training Required - There were a couple of posts on Forensic Focus this week
- Christa Miller recaps the recent Techno Security conference at Myrtle Beach
Recap: Techno Security And Digital Forensics Conference Myrtle Beach 2019 - Yuri Gubanov demonstrates how to use the cross-case search feature of BEC
How To Use Cross-Case Search With Belkasoft Evidence Center
- Christa Miller recaps the recent Techno Security conference at Myrtle Beach
- They also continued their ‘What’s Happening In Forensics’ series
- Cindy Murphy was interviewed on Idea Mensch
- Chris Crowley shared his action items from the presentations at the recent SANS SOC Summit
2019 SOC Summit – Day 1 Action Items - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — June 23 to June 29
SOFTWARE UPDATES
- Cellebrite released UFED PA 7.20.
Enhancements and Product Fixes – UFED Physical Analyzer 7.20 - Cyber Triage v2.8 was released
- KAPE 0.8.5.0 was released
Kape Changelog - Eric Zimmerman updated Timeline Explorer, WxTCmd, SDB Explorer, ShellBags Explorer, JumpList Explorer, Hasher, EZViewer, Get-ZimmermanTools, EvtxECmd, and iisGeolocate
ChangeLog - ExifTool 11.53 was released with new tags and bug fixes
ExifTool 11.53 – “Exif 2.32” - GetData released Forensic Explorer v4.6.8.8654
28 June 2019 – 4.6.8.8654 - Magnet Forensics updated Axiom to v3.3, adding a number of enhancements and fixes
Magnet AXIOM 3.3 Includes SIM Card Support and Updates to Warrant Returns - MSAB updated XRY 8.0, XAMN 4.3 and XEC Director 5.1
Now released: XRY 8.0, XAMN 4.3 and XEC Director 5.1 - Radare2 v3.6.0 was released
3.6.0 – EGO - Regipy v1.2.3 was released
Version 1.2.3 - SalvationData released SPF Pro V6.92.30
[Software Update] Mobile Forensics: SPF Pro V6.92.30 New Version Release for Better User Experience! - Ulf Frisk released MemProcFS version 2.7
Version 2.7
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
