Thanks to those that reached out that they’ve donated. Celeste Barber has already raised over $50,000,000. You can add to it here.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. Unfortunately it was a big week and she was busy, so just links only there!
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some thoughts on smartphone acquisition as well as his process for acquiring an iOS device in BFU state using the checkra1n jailbreak
- Andrea Lazzarotto demonstrates how to acquire pages from archival sites like Archive.org’s Wayback Machine and how to use an API to obtain even more data from sites like Instagram
Acquisizione forense di un profilo Instagram - Oleg Afonin at Elcomsoft analyses the security of the Thecus NAS devices
Attached Storage Forensics: Security Analysis of Thecus NAS - Jon Baumann at Ciofeca Forensics has updated his iOS notes parser
Revisiting Apple Notes (1): Improved Note Parsing - Yogesh Khatri at ‘Swift Forensics’ looks at processing Usagestats on Android 10, which is stored in protobuf format
Usagestats on Android 10 (Q)
THREAT INTELLIGENCE/HUNTING
- Record number of threat intelligence and hunting post this week. Unsurprisingly, many blogs talked about Iranian threats or APT groups which is great because it’s probably the most kitten references ever in ThisWeekin4n6:
- Check out the attempted recruiting of US security researcher Chris Kubecka as written up by Sean Gallagher at Ars Technica that goes beyond APTs and IOCs.
Iran courted US security expert for years, seeking industrial hacking training - Eric Poynton at Awake Security
The Looming Threat of Asymmetric Cyber Warfare with Iran - Jake Aurand at Binary Defense
IP Addresses From Iran Target Texas - Nick Biasini at Cisco
Continued Escalation of Tensions in the Middle East - ClearSky Cyber Security
PowDesk: Targeted APT34 Campaign Against LANDesk Users - Gary Warner at CyberCrime & Doing Time
Iranian APT Group Overview - Allie Mellen at Cybereason
Is Cybereatalliation From Iran Imminent? - Deriving Cyber Threat Intelligence and Threat Hunting with IOCs
APT34 WebShell Filenames - Rick Holland at Digital Shadows
Iranian Cyber Threats: Practical Advice for Security Professionals - Richard Gold at Digital Shadows
Iranian APT Groups’ Tradecraft Styles: Using Mitre ATT&CK™ and the ASD Essential 8 - Harrison Van Riper at Digital Shadows
Iran and Soleimani: Monitoring the Situation - JagaimoKawaii at lab52
ICEFog APT Group abusing recent conflict between Iran and USA - Palo Alto Networks
Threat Brief: Iranian-Linked Cyber Operations
- Check out the attempted recruiting of US security researcher Chris Kubecka as written up by Sean Gallagher at Ars Technica that goes beyond APTs and IOCs.
- Chris Brenton at Active Countermeasures
How to Use Zeek to Catch Data Exfiltration With a Single Command – Video Blog - Ben Bornholm at HoldMyBeer
Detecting SSH brute forcing with Zeek - Ben Bornholm (more!) at HoldMyBeer
Detecting malicious downloads with Osquery, Rsyslog, Kafka, Python3, and VirusTotal - Garrett Thompson at Binary Defense
Lazarus Group Carries Out Continuation of Operation AppleJeus - Black Room Security with an exploit series this week:
- Sergio Caltagirone at Dragos
Threat Detection Using ICS-ATT&CK and the Dragos Platform - A summary of the Dragos North American Electric Cyber Threat Perspective
The State of Threats to Electric Entities in North America - Will Yu at Elasticsearch
Mac system extensions for threat detection: Part 1 - Huseyin Rencber at Medium (in Turkish)
Dns Tünelleme Tespiti ve Engellenmesi - Otis Alexander at MITRE ATT&CK
Launching ATT&CK for ICS - Action Dan at LockBoxx
3 Principles of Red Teaming - Nextron Systems
THOR Integration into Windows Defender ATP - Pentestlab on Persitence
Persistence – AppInit DLLs - Pentestlab (more!) on Persitencere
Persistence – Change Default File Association - John Althouse at Salesforce Engineering
Finding Evil on the Network Using JA3/S and HASSH - Kaspersky Securelist
Operation AppleJeus Sequel - Trey George at The PhishLabs Blog
Threat Actor Abuses Mobile Sensor to Evade Detection - Kevin Haubris at TrustedSec
SELinux and Auditd - Tyler Hudak at TrustedSec
NetScaler Remote Code Execution Forensics - Shachar Roitman at Verint Cyber Engineering
Linux Threat Hunting Primer — Part II - JW at Wilbur Security
Tridium Niagara Vulnerabilities
UPCOMING WEBINARS/CONFERENCES
- Wild West Hackin’ Fest – Way West, San Diego has been announced. The conference will be held March 11-13 at Wyndham San Diego Bayside (with pre-conference training March 10-11). Blackhills have also generously thrown you all a discount code (THISWEEKIN4N6) for 10% off registration.
Wild West Hackin’ Fest - Rich Frawley at ADF will be hosting a webinar on triage on Thursday, January 16, 2020
Benefits of Digital Forensic Triage - The CFP for ADFSL, hosted in Las Vegas on 27-28 May 2019 has opened. The deadline for submissions is 11:59 p.m. EST, 31 January 2020.
ADFSL 2020 Conference on Digital Forensics, Security and Law - Kent Hoffman and Henk-Jan Lamfers will be hosting a webinar on Foclar Impress on Thursday, 16 January 2020, at 2:00 PM (GMT-5)
Foclar – Video Enhancement and Analysis - Blackhills Info Sec will be hosting a webinar on “bypassing endpoint security products” on Jan 9, 2020 2:00 PM EST
Sacred Cash Cow Tipping 2020 - Input Ace are hosting a webinar on video forensics on Tue, Jan 28, 2020 6:00 PM
The Democratization of Video Evidence: Equipping Investigators with Modern Tools and Know-How
PRESENTATIONS/PODCASTS
- Presentations from Black Hat 2019 were uploaded to Youtube
- Black Hills Information Security shared a few webcasts and presentations
- BlackBag Technologies shared their recent webcast on Apple iCloud productions
Ask the Expert: Apple iCloud Productions - Andrew Thompson was a guest on this weeks Detections Podcast to talk about his recent flame war surrounding the public sharing of offensive security tools
Episode 7: Dead OST Society - On this week’s Digital Forensic Survival Podcast, Michael talked about self-improvement and goals to consider
DFSP # 203 – Profile of a modern analyst - Matt and Dave returned for the Forensic Lunch, along with guest Lee Whitfield to talk about Matt’s work on real-time monitoring, the DFIR and Cloud Summits, the Forensic 4Cast awards and more.
Forensic Lunch 1/10/20 - OALabs uploaded a video demonstrating UnpacMe
UnpacMe Automated Malware Unpacking – How We Built It and Why - Richard Frawley at ADF shared a video demonstrating “how to image from either the Desktop tool or the USB device (Collection Key) on a Boot and Live Scan.”
How-To Image on a Boot and Live Scan - Salesforce shared a tech talks on “Finding Evil on the Network Using JA3 & HASSH”
Salesforce Tech Talks: Finding Evil on the Network Using JA3 & HASSH
MALWARE
- Nathan Collier at Malwarebytes broke the story about phones for low-income Americans coming with unremovable malware. Just like this week’s top threat hunting pick, Ars Technica also has a great writeup.
United States government-funded phones come pre-installed with unremovable malware - 0verfl0w_ at 0ffset
Finding the Needle In The Haystack: MemLabs Lab-1 - Garrett Thompson at Binary Defense
New Trickbot Powershell stager “PowerTrick” for High-Value-Targets - Liviu Arsene at Bitdefender Labs
Hold My Beer Mirai – Spinoff Named ‘LiquorBot’ Incorporates Cryptomining - Check out @subTee’s tweet
Check out @subTee’s tweet onCross Process Injection - Steven Cardinal on Cofense Podcast
Phish Fryday – The Latest on Emotet - Masaki Kasuya at Cylance
Threat Spotlight: Amadey Bot Targets Non-Russian Users - Didier Stevens on malicious ZIPs
Analysis Of Unusual ZIP Files - Sandor Nemes and Zander Work at FireEye
SAIGON, the Mysterious Ursnif Fork - Yueh-Ting Chen at Fortinet
Predator the Thief: Analysis of Recent Versions - Derek Kleinhen at Kindred Security
The Basics of Packed Malware: Manually Unpacking UPX Executables - Malwarebytes had a few posts this week:
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th)
- etl2pcapng: Convert .etl Capture Files To .pcapng Format, (Sun, Jan 5th)
- Increase in Number of Sources January 3rd and 4th: spoofed, (Mon, Jan 6th)
- More Data Exfiltration, (Fri, Jan 10th)
- Quick Analyzis of a(nother) Maldoc, (Thu, Jan 9th)
- Citrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor, (Sat, Jan 11th)
- Vitali Kremez, Joshua Platt, and Jason Reaves at SentinelLabs
Title: Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets - Satnam Narang at Tenable
CVE-2019-11510: Critical Pulse Connect Secure Vulnerability Used in Sodinokibi Ransomware Attacks - Ecular Xu and Joseph C Chen at TrendMicro
First Active Attack Exploiting CVE-2019-2215 Found on Google Play, Linked to SideWinder APT Group - Bruno Oliveira at Trustwave SpiderLabs
Windows Debugging & Exploiting Part 3: WinDBG Time Travel Debugging - Virus Bulletin continues a hefty post volume without Martijn Grooten:
MISCELLANEOUS
- Alexis Brignoni at ‘Initialization Vectors’ shares his gratitude for those that have helped iLEAPP become a reality. I hope that the project grows and more peoples profiles appear on this page, and it’s an honour to have helped Alexis help us all!
Awesome Friends! - Marco Fontani at Amped demonstrates Authenticates command line options
Tired of Clicking? Learn How to Use Amped Authenticate’s Command Line Interface to Quickly Analyze or Triage Lots of Images! - attackd0gz-sec has a Twitter news roundup this week.
DFIR Review - Joe Security describe their “Deep .NET tracing” feature
Dissecting Agent Tesla with Deep .NET Tracing - Or Begam and Natanel Alkalai at Cellebrite describe their location carving features in UFED PA
Location Carving—A Key Driver For Solving Crimes - There were a few posts on Forensic Focus this week
- How To Analyze Call Data Records In Oxygen Forensic Detective
- Sarah Hargreaves, Director of International Training, AccessData
- Interview With Jason Bailey, Director Of Product Management, OpenText
- Interview With Jeff Hedlesky, Forensic Evangelist For Tableau Hardware, OpenText
- Forensic Acquisition Of Modern Evidence
- Register For Webinar: Real-Time Corporate Investigations
- They also continued their ‘What’s Happening In Forensics’ series
- Raj Chandel at Hacking Articles walks through the processing steps of Magnet’s IEF for processing social networking data
Forensic Investigation of Social Networking Evidence using IEF - “MantaRay Forensics will release 2019 Q4 Update 01 VirusShare (372-374) refined hash set Monday, 13 Jan 2020.”
Check out @MantaRay4ensics’s tweet - Greg Kipper at Paraben Corporation shared an update of their achievements in 2019, as well as some general DFIR predictions for 2020
2020 DFIR Predictions & Innovations - Patrick J. Siewert at Pro Digital Forensic Consulting comments on some challenges to digital evidence that are theoretical and their application to practical examinations. As correctly stated, some of the process changes have been made to avoid questioning by non-technical’s during litigation – by sanitising media we eliminate the potential for questioning, not because of a really strong technical reason.
Digital Forensics: Theory vs. Practice - Gina Cristiano at ADF described the company’s culture code
ADF Introduces the Culture Code - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
SOFTWARE UPDATES
- Alexis Brignoni at ‘Initialization Vectors’ released some updates to iLEAPP
- Arsenal Recon “launched ODC Recon v1.0.0.40, with a new GUI and enhancements to FSD processing”
Check out @ArsenalRecon’s tweet - Atola updated their Insight Forensic software to v4.15.1 to fix a bug
Atola Insight Forensic 4.15.1 - Thomas Patzke released a dockerized ELK environment with security datasets
Check out @blubbfiction’s tweet - Cyber Triage v2.11 was released
Version 2.11 Features: Investigation History, Timeline Filtering, and More! - Eric Zimmerman updated Timeline Explorer, MFTECmd, bstrings, and Registry Explorer
ChangeLog - ExifTool 11.84 was released with new tags and bug fixes
ExifTool 11.84 - The forensicanalysis github account released artifactcollector, which is a Go-based forensic artifact acquisition utility
forensicanalysis - GetData released Forensic Explorer v5.1.2.9254
06 January 2020 – 5.1.2.9254 - Jannis Kirschner released a plugin for Cutter to “apply YARA rules to your Cutter projects.”
Cutter-Yara-Plugin - Maxim Suhanov updates his dfir_ntfs file system parser to v1.0.1
1.0.1 - Metaspike updated their Remote Authenticator to v1.11.1
Remote Authenticator v1.11.1 - Nirsoft released a new tool for viewing Chrome and Firefox download histories
View Chrome and Firefox downloads with BrowserDownloadsView - Passmark Software released OSForensics V7.1 build 1004
V7.1 build 1004 6th January 2020 - Phil Hagen updated his ip2geo script to accommodate some recent changes to Maxmind
Check out @PhilHagen’s tweet - SalvationData have released a new product, iSee, which is a big data visualisation product
[Product Launch] Technology Contains Wisdom, Big Data Visualization Analytics – iSee Cloud Platform is Officially Released! - X-Ways Forensics 19.9 SR-2 was released
X-Ways Forensics 19.9 SR-2
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 