Australian fire update; We’ve had a bit of rain just recently which is positive, but the fires are still ongoing and the air quality varies day-to-day. If you’d like to donate a couple of good places to start are the RFS and the Red Cross; Celeste Barber added an extra million over the last week, now up to $51mil.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Oleg Skulkin at Blog Group-IB writes about what Nextcloud artifacts look like on disk
Hunting for Nextcloud Cloud Storage Forensic Artifacts on Endpoints - Roey Arato at Cellebrite describes the supported devices for full file system acquisition using Checkm8
A Practical Guide to Checkm8 - Oleg Afonin at Elcomsoft wrote a few interesting articles this week
- Jon Baumann at Ciofeca Forensics continues his series on parsing Apple Notes data
- SalvationData have written a post on recovering audio from various formats
[Case Study] Computer Forensics: How to Recover Evidentiary Data from Different Audio Files? - Sarah Edwards at Mac4n6 describes some of the contextual data that is available through the knowldegeC database
Providing Context to iOS App Usage with knowledgeC.db and APOLLO - Lee Reiber at ‘The Mobile Device Examiner’ took a look at a mobile device running KaiOS
Burning the new Burner (Part 1 of 2)
THREAT INTELLIGENCE/HUNTING
- Iran still made blog headlines
- Blackorbird shares a summary of Iranian APTs and IOCs.
APT_REPORT/International Strategic/Iran - CheckPoint Research podcast on Domestic Kitten (17 mins)
[CPRadio] Domestic Kitten: An Iranian Surveillance Operation - Marco Ramilli correlates MITRE ATT&CK with Malpedia
Iranian Threat Actors: Preliminary Analysis - Jake Williams at Rendition Infosec breaks down the Saudi National Cybersecurity Authority report in a 21 minute video
New Destructive Iranian Cyberattack – “Dustman” - Jake Williams and Brandon McCrillis at Rendition Infosec discuss more about Iran in a 17 minute video
Updating The Iranian Cyber Threat Assessment - Jake Williams, Brandon Helms, and Brandon McCrillis at Rendition Infosec with a 12 minute video on the Iranian threat
Assessing the Iran Cyber Threat - Limor Kessem at Security Intelligence on Dustman [note: no Iran mention here, see the Rendition Infosec post in this section for details]
Enter Dustman: New Wiper Takes After ZeroCleare, Targets Organizations in Saudi Arabia
- Blackorbird shares a summary of Iranian APTs and IOCs.
- And everyone wrote about important CryptoAPI and Citrix CVEs:
- Palo Alto Networks Threat Brief
Threat Brief: Windows CryptoAPI Spoofing Vulnerability CVE-2020-0601 - Palo Alto Networks
Exploits in the Wild for Citrix ADC and Citrix Gateway Directory Traversal Vulnerability CVE-2019-19781 - Zscaler
Critical Windows Update – CryptoAPI Spoofing, Windows Remote Desktop vulnerabilities - Carbon Black
Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability - Microsoft Security Response Center
January 2020 security updates are available! - Awake Security
Citrix Gateway Vulnerability (CVE-2019-19781) Analysis - Digital Shadows
CVE-2019-19781: Analyzing the Exploit - FireEye Threat Research
404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix
NetScaler Vulnerability While Maintaining Backdoor - Nextron Systems
Automated Citrix Netscaler Forensic Analysis with THOR - TrustedSec
NetScaler Honeypot - Trustwave SpiderLabs
Citrix ADC/Netscaler – CVE-2019-19781 - Microsoft Security Response Center
January 2020 Security Updates: CVE-2020-0601 - Kryptos Logic
RDP to RCE: When Fragmentation Goes Wrong - Didier Stevens
Using CveEventWrite From VBA (CVE-2020-0601) - Maarten Goet
Detecting CVE-2020–0601 and other attempts to exploit known vulnerabilities using Azure Sentinel - Mike at ØSecurity
Windows Event Log – Audit-CVE - Netskope
Microsoft CryptoAPI Spoofing (CVE-2020-0601) - Corelight
Day 1 Detection: CVE-2020-0601, a community, and 40 Lines of code - SANS
SPECIAL SANS WEBCAST: What you need to know about the Crypt32.dll / CryptoAPI Flaw - Trail of Bits Blog
Exploiting the Windows CryptoAPI Vulnerability - Trustwave SpiderLabs
Windows CryptoAPI Spoofing Vulnerability – CVE-2020-0601 - SANS ISC
CVE-2020-0601 Followup, (Wed, Jan 15th) - SANS ISC
Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability, (Thu, Jan 16th)
- Palo Alto Networks Threat Brief
- Fernando Martinez at AlienVault Labs on a look back at 2019
Alien Labs 2019 Analysis of Threat Groups Molerats and APT-C-37 - Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
- CheckPoint Research on ATT&CK
- Christian Demko at /var/log/messages on AWS security
Misadventures in AWS - Austin Scott at Dragos looks at ATT&CK for ICS
A Closer Look at MITRE ATT&CK for ICS - Will Yu at Elasticsearch with Mac threat hunting
Mac system extensions for threat detection: Part 2 - Ruud van Luijk at Fox-IT on beaconing
Hunting for beacons - Aleksandar Milenkoski at insinuator.net on ETW monitoring (psst, if you were watching David Cowen’s latest Forensic Lunch, you heard a lot of discussion about this!)
Windows Insight: The Windows Telemetry ETW Monitor - Intrusion Truth with news about various APTs
- lab52 shared a few APT posts as well
- Matthieu Suiche on an Android browser susceptible to MiTM attacks
Alarming Number of UC Browser Users Vulnerable to MiTM Attacks - Russell McDonald at Microsoft Azure Security writes about coin mining on Linux
Learning from cryptocurrency mining attack scripts on Linux - Erik Hjelmvik at Netresec on “how TLS interception can be used to decrypt and analyze malicious HTTPS network traffic.”
Sharing a PCAP with Decrypted HTTPS - Jonas Bauters on the recent Red Teaming debate
Thoughts on the recent Red Team debate - Penetration Testing Lab wrote about persistence this week
- Chuck Frey at Red Canary writes about an AutoIT worm with similarities to “Retadup.”
Uncompromised: An AutoIT worm living off the land - Jake Williams at Rendition Infosec breaks down the Saudi National Cybersecurity Authority report in a 21 minute video
Potential Cyber Insurance Issues - Robin Moffatt on Kafka and KSQL
- Guy Bruneau at SANS ISC on visualizing data from Didier’s tcp-honeypot.
ELK Dashboard and Logstash parser for tcp-honeypot Logs, (Sun, Jan 12th) - Jeff Bollinger and William Sheldon at Cisco’s CSIRT look at attackers abusing .IMG files
Disk Image Deception - Sophos with two threat intelligence posts this week:
- Matt Hand at SpecterOps examines Mimidrv
Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver - ThreatRecon details the past year of SectorD activity
Hacking Activity of SectorD Group in 2019 - Virus Bulletin releases Denis Legezo’s VB2019 presentation
VB2019 presentation: Targeted attacks through ISPs
UPCOMING WEBINARS/CONFERENCES
- Black Hills Information Security will be hosting a webinar with Bill Sterns from Active Countermeasures on building cheap network sensors on Jan 16, 2020 2:00 PM EST
How to use a Raspberry Pi as a Network Sensor - Ryan Ammerman at Cellebrite will be hosting a webinar on the recent UFED PA update on January 29, 2020 at 10am (New York)
The 7.28 update: Checkm8, Watchlists, and more! - The Call for Presentations for the SANS DFIR Summit is open! Submissions will close February 24th at 5 pm CST
DFIR Summit & Training 2020 - Over on my ThinkDFIR website I shared some details on DFRWS APAC 2020! If you’re considering submitting a workshop let me know, and get your abstract in before the end of the month!
DFRWS APAC 2020! - The CFP for VB2020, “which is to take place 30 September to 2 October in Dublin, Ireland” has opened. The deadline for the call for papers is Sunday 15 March.
The VB2020 call for papers – how it works
PRESENTATIONS/PODCASTS
- Andreas Sfakianakis at ‘Tilting at windmills’ shared his top 20 CTI presentations from last year
Top 20 CTI Presentations for 2019 - Basis Technology have made a 1-day course on Autopsy that is available free and on-demand for US Law Enforcement.
Training - More presentations from Black Hat were shared
- Black Hills Information Security shared a few of their recent presentations
- Presentations from Bsides Belfast 2019 have been uploaded to YouTube
- Douglas Brush interviewed Mari Degrazia (last week) and Heather Mahalik (this week) on their journeys into digital forensics.
- Another episode of the Detections podcast was released
Episode 8: Basically Speaking: Incident Response - On this week’s Digital Forensic Survival Podcast, Michael spoke about SOF ELK
DFSP # 204 – SOF ELK - Richard Davis at 13Cubed released a video on email header analysis
Email Header Analysis and Forensic Investigation - SANS shared David J. Bianco and Cat Self’s presentation from the 2019 Threat Hunting Summit
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program – SANS Threat Hunting Summit 2019
MALWARE
- Jan Kopriva at SANS ISC examines some unique malware samples seen in 2019: a file that’s tiny, then large, then full of nothing. While the malware itself is the infostealer Pony/FareIT from February last year, the compression and delivery of the malware is an interesting takeaway.
Picks of 2019 malware – the large, the small and the one full of null bytes, (Thu, Jan 16th) - Bitdefender shares a decryptor for Paradise ransomware
Paradise Ransomware decryption tool - See what Satan, DBGer, and Lucky ransomware have in common at Blaze’s Security Blog
Satan ransomware rebrands as 5ss5c ransomware - Brian Laskowski at Laskowski-Tech shared a couple of posts this week
- Brian Maloney looks more at Symantec Endpoint Protection VBN files
One of these VBNs is not like the other - Cisco’s Talos blog has multiple posts
- Max Gannon with Steven Cardinal at Cofense shares thoughts on macros in a 15 minute podcast
Phish Fryday – Office Macros in Phishing Attacks - Digital Shadows with an overview of Ransomware as a Service (RaaS)
Cryptonite: Ransomware’s answer to Superman… - Xiaopeng Zhang at Fortinet looks at a phishing sample
Deep Analysis of New Metamorfo Variant Targeting Customers of Brazilian Financial Organizations - William Peteroy with Ed Miles at Gigamon gives an Emotet overview and December 2019 changes
Emotet: Not your Run-of-the-mill Malware - Intezer had multiple posts (and software releases, further below) this week
- Kaspersky posted about different malware threats
- Kyle Cucci at SecurityLiterate examined using hollows_hunter (based on pe-sieve) to pull process information from memory
Extracting Malware from Memory with Hollows_Hunter - Malware Must Die! examines the FBOT Mirai variant
MMD-0065-2020 – Linux/Mirai-Fbot’s new encryption explained - Mark McIntyre at Microsoft’s Enterprise Cybersecurity Group thinks about planning for ransomware and other scenarios
Rethinking cyber scenarios—learning (and training) as you defend - Mike Cohen on malware hunting with velociraptor
Hunting Malware using Mutants - Rajdeepsinh Dodia, Amandeep Kumar, and Atinderpal Singh at Zscaler look at PS based ransomware FTCODE
FTCODE Ransomware — New Version Includes Stealing Capabilities - JW at Wilbus Security describes Ako Ransomware on an RDP honeypot
Ako Ransomware
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR posted a couple of content updates. Thanks for the support Andrew!
- Marco Fontani at Amped shares a tip tuesday on Amped Replay to show how to prove that something isn’t possible.
A Good Way to Say No: Show What’s Actually There With Amped Replay - Brett Shavers at DFIR.Training gave an update on what’s happening on his site.
What’s New at DFIR Training - Brett also has a great post about starting with the things you don’t want to do, and putting in the work.
Eat your broccoli first - Ariel Watson at Cellebrite shared a preview of the results of the 2020 Cellebrite Trends Survey
Rethinking Data Collection at Crime Scenes to Speed Up Case Resolution - Brian Carrier at Cyber Triage has launched a newsletter “dedicated to helping incident response professionals be better at their jobs.”
The Cyber RespondIR - There were a few posts on Forensic Focus this week
- Interview With Steve Davis, Director Of Business Development, Digital Discovery
- Interview With Jad Saliba, Founder & CTO, Magnet Forensics
- Interview With Jon Langton, TransPerfect Legal Solutions
- Forensic Source Identification Using JPEG Image Headers: The Case Of Smartphones
- Joe Walsh On Private Browsing Data And Teaching Digital Forensics Online
- They also continued their ‘What’s Happening In Forensics’ series
- A number of people have shared their solutions for the 2019 SANS Holiday Hack Challenge.
- Mike Dickinson at MSAB announced that they will no longer support Windows 7 in their products
End of life for Windows 7 - Richard Frawley at ADF describes the DEI settings page
Explaining the Settings Page - Robin Moffatt shared some general advice for submitting presentations to conferences
How to win [or at least not suck] at the conference abstract submission game - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — January 12 to January 18 - Robert Calvert at Security Intelligence has a post on IR tabletops
3 Lessons From the Incident Response Tabletops - The Forensic Wiki has been reborn on a new domain
Check out @SwiftForensics’ tweet - Brett Shavers shared the new build instructions for WinFE running on Win10
X-Ways Forensics runs in the new WinFE 10
SOFTWARE UPDATES
- Andrew Hoog at Hack 42 Labs has released a new tool, ftree, to “extract and search file structure to uncover new evidence”
Discover New Forensic Evidence With File Structure Analysis - Cellebrite updated UFED to v7.28, adding full file system acquisition for some iOS devices via a session checkra1n jailbreak.
Perform Full File System Extraction on iOS Devices with a Built-in Solution - Elcomsoft Cloud Explorer 2.25 was released
Elcomsoft Cloud Explorer 2.25 fixes Google Account authentication for some accounts - Eric Zimmerman updated WxTCmd
ChangeLog - F-Response 8 received an update
- Guy Acosta and Michael Scovetta at Microsoft Customer Security and Trust share “We use Application Inspector to identify key changes to a component’s feature set over time (version to version), which can indicate anything from an increased attack surface to a malicious backdoor.”
Introducing Microsoft Application Inspector - SalvationData released DRS V18.7.3.309
[Software Update] Computer Forensics: DRS V18.7.3.309 New Version Release for Better User Experience! - Sandfly 2.4.0 was released
Sandfly 2.4.0 – Reconnaissance, Splunk Support, Process Injection Detection and Containers - Sarah Edwards at Mac4n6 took APOLLO out of Beta, and updating support for iOS 13 for various modules
New Year New APOLLO – Officially out of Beta iOS 13 Module Updates! - TZWorks have released an update on their tools.
Jan 2020 build (package) - Velociraptor 0.3.8 was released
Release 0.3.8 - X-Ways Forensics 19.9 SR-2 was released
X-Ways Forensics 19.9 SR-2
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 